CVE-2026-39910: Missing Authorization in STACKIT IaaS API
STACKIT IaaS API contains a missing authorization check vulnerability that allows authenticated, low-privileged attackers to escalate privileges to full organization compromise by attaching arbitrary service accounts to virtual machines they control. Attackers can exploit the unvalidated PUT servers service-accounts endpoint to attach high-privileged service accounts and query the Instance Metadata Service to retrieve OAuth2 tokens, bypassing tenant boundaries and gaining unauthorized control over the entire organization environment.
AI Analysis
Technical Summary
STACKIT IaaS API suffers from a missing authorization check vulnerability (CVE-2026-39910) that permits authenticated users with low privileges to escalate their access to full organizational control. The flaw exists in the PUT servers service-accounts endpoint, which does not validate the service accounts being attached to virtual machines. Attackers can attach arbitrary, high-privileged service accounts and then query the Instance Metadata Service to obtain OAuth2 tokens. This bypasses tenant isolation and allows unauthorized access to the organization's entire environment. The vulnerability is rated critical with a CVSS 4.0 score of 9.3. No patch or remediation level is currently documented, and the service is not cloud-hosted, so remediation responsibility lies with the vendor and users.
Potential Impact
Exploitation of this vulnerability allows an authenticated attacker with low privileges to escalate to full organization compromise by attaching high-privileged service accounts to virtual machines they control. This leads to unauthorized access to OAuth2 tokens via the Instance Metadata Service, effectively bypassing tenant boundaries and enabling control over the entire organizational environment. The impact is critical due to the potential for complete environment takeover.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or remediation level has been published, organizations should monitor vendor communications closely. Until a patch is available, restrict access to the affected API endpoints to trusted users only and apply strict access controls to minimize exposure. Avoid granting unnecessary privileges to service accounts and review service account attachments regularly.
CVE-2026-39910: Missing Authorization in STACKIT IaaS API
Description
STACKIT IaaS API contains a missing authorization check vulnerability that allows authenticated, low-privileged attackers to escalate privileges to full organization compromise by attaching arbitrary service accounts to virtual machines they control. Attackers can exploit the unvalidated PUT servers service-accounts endpoint to attach high-privileged service accounts and query the Instance Metadata Service to retrieve OAuth2 tokens, bypassing tenant boundaries and gaining unauthorized control over the entire organization environment.
CVSS v4.0
Score 9.3critical
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
STACKIT IaaS API suffers from a missing authorization check vulnerability (CVE-2026-39910) that permits authenticated users with low privileges to escalate their access to full organizational control. The flaw exists in the PUT servers service-accounts endpoint, which does not validate the service accounts being attached to virtual machines. Attackers can attach arbitrary, high-privileged service accounts and then query the Instance Metadata Service to obtain OAuth2 tokens. This bypasses tenant isolation and allows unauthorized access to the organization's entire environment. The vulnerability is rated critical with a CVSS 4.0 score of 9.3. No patch or remediation level is currently documented, and the service is not cloud-hosted, so remediation responsibility lies with the vendor and users.
Potential Impact
Exploitation of this vulnerability allows an authenticated attacker with low privileges to escalate to full organization compromise by attaching high-privileged service accounts to virtual machines they control. This leads to unauthorized access to OAuth2 tokens via the Instance Metadata Service, effectively bypassing tenant boundaries and enabling control over the entire organizational environment. The impact is critical due to the potential for complete environment takeover.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or remediation level has been published, organizations should monitor vendor communications closely. Until a patch is available, restrict access to the affected API endpoints to trusted users only and apply strict access controls to minimize exposure. Avoid granting unnecessary privileges to service accounts and review service account attachments regularly.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-04-07T20:57:06.209Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a26f68ee29bf47b50440d40
Added to database: 6/8/2026, 5:06:22 PM
Last enriched: 6/8/2026, 5:18:39 PM
Last updated: 6/8/2026, 8:23:06 PM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.