Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Tue, 09 Jun 2026 16:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Tue, 09 Jun 2026 09:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Stackit
Stackit iaas Api |
|
| Vendors & Products |
Stackit
Stackit iaas Api |
Mon, 08 Jun 2026 17:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | STACKIT IaaS API contains a missing authorization check vulnerability that allows authenticated, low-privileged attackers to escalate privileges to full organization compromise by attaching arbitrary service accounts to virtual machines they control. Attackers can exploit the unvalidated PUT servers service-accounts endpoint to attach high-privileged service accounts and query the Instance Metadata Service to retrieve OAuth2 tokens, bypassing tenant boundaries and gaining unauthorized control over the entire organization environment. | |
| Title | STACKIT IaaS API Privilege Escalation via Service Account Attachment | |
| Weaknesses | CWE-862 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-06-09T15:47:16.803Z
Reserved: 2026-04-07T20:57:06.209Z
Link: CVE-2026-39910
Updated: 2026-06-09T15:47:11.780Z
Status : Deferred
Published: 2026-06-08T17:16:42.613
Modified: 2026-06-09T13:51:18.770
Link: CVE-2026-39910
No data.
OpenCVE Enrichment
Updated: 2026-06-09T08:56:57Z