CVE-2026-39910

216.73.217.22

· Published 08/06/2026 17:16 · Modified 09/06/2026 13:51

Labels: CVE-2026-39910 2026-06-08 CVE-2026-39910 CWE-862 [email protected]

Essential information

Published: 08/06/2026 17:16
Modified: 09/06/2026 13:51
Author: —
Creator: —
CVSS: 9.3 CRITICAL (v3) 9.3 CRITICAL (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

STACKIT IaaS API contains a missing authorization check vulnerability that allows authenticated, low-privileged attackers to escalate privileges to full organization compromise by attaching arbitrary service accounts to virtual machines they control. Attackers can exploit the unvalidated PUT servers service-accounts endpoint to attach high-privileged service accounts and query the Instance Metadata Service to retrieve OAuth2 tokens, bypassing tenant boundaries and gaining unauthorized control over the entire organization environment.

NVD status

Status: Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
stackit / iaas api	`cpe:2.3:a:stackit:iaas_api::::::::`