CVE-2026-39910

CRITICAL SEVERITY

CVSS Score & Metrics

Base Score

9.8 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H                                    

Vulnerability Description

STACKIT IaaS API contains a missing authorization check vulnerability that allows authenticated, low-privileged attackers to escalate privileges to full organization compromise by attaching arbitrary service accounts to virtual machines they control. Attackers can exploit the unvalidated PUT servers service-accounts endpoint to attach high-privileged service accounts and query the Instance Metadata Service to retrieve OAuth2 tokens, bypassing tenant boundaries and gaining unauthorized control over the entire organization environment.

Vulnerability Details

Published Date

June 08, 2026

Last Modified

June 08, 2026

CWE ID

CWE-862

Source

NVD

Vendor

STACKIT

Product

IaaS API

External References

https://status.stackit.cloud
https://www.vulncheck.com/advisories/stackit-iaas-api-privilege-escalation-via-service-account-attachment

CVE-2026-39910

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment