CVE-2026-39910
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk13th percentile — higher than 13% of all known CVEs
Summary
STACKIT IaaS API contains a missing authorization check vulnerability that allows authenticated, low-privileged attackers to escalate privileges to full organization compromise by attaching arbitrary service accounts to virtual machines they control.
Risk Assessment
Attackers can exploit this vulnerability to gain unauthorized access to the entire organization environment, posing a serious threat to data and resource security.
Recommendation
It is recommended to implement proper authorization checks for API endpoints and to monitor and restrict access to high-privileged service accounts.
Original NVD description (English source)
STACKIT IaaS API contains a missing authorization check vulnerability that allows authenticated, low-privileged attackers to escalate privileges to full organization compromise by attaching arbitrary service accounts to virtual machines they control. Attackers can exploit the unvalidated PUT servers service-accounts endpoint to attach high-privileged service accounts and query the Instance Metadata Service to retrieve OAuth2 tokens, bypassing tenant boundaries and gaining unauthorized control over the entire organization environment.

