CRITICALVulnerability
Verified
Global
NVD CRITICAL: CVE-2026-39910 — STACKIT IaaS API contains a missing authorization check vulnerability that allow...
·Source: NIST NVD
Updated:
Executive Summary
STACKIT IaaS API contains a missing authorization check vulnerability that allows authenticated, low-privileged attackers to escalate privileges to full organization compromise by attaching arbitrary service accounts to virtual machines they control. Attackers can exploit the unvalidated PUT servers service-accounts endpoint to attach high-privileged service accounts and query the Instance Metadat
Analysis
STACKIT IaaS API contains a missing authorization check vulnerability that allows authenticated, low-privileged attackers to escalate privileges to full organization compromise by attaching arbitrary service accounts to virtual machines they control. Attackers can exploit the unvalidated PUT servers service-accounts endpoint to attach high-privileged service accounts and query the Instance Metadata Service to retrieve OAuth2 tokens, bypassing tenant boundaries and gaining unauthorized control over the entire organization environment. CVSS Score: 9.8. Published: 2026-06-08T17:16:42.613.