A missing authorization check in the STACKIT IaaS API lets any user with a basic tenant account escalate to full organization compromise, earning a CVSS score of 9.8 (Critical).
What Is It
CVE-2026-39910 is a missing authorization vulnerability (CWE-862) in the STACKIT IaaS API. Any user with an ordinary tenant account, no special privileges required, can exploit the unvalidated PUT servers service-accounts endpoint to attach arbitrary, high-privileged service accounts to virtual machines they control. By then querying the Instance Metadata Service, the attacker can retrieve OAuth2 tokens for those service accounts, bypassing tenant boundaries and gaining unauthorized control over the entire organization environment.
Why It Matters
The flaw carries a CVSS 3.1 base score of 9.8 (Critical), network attack vector, low complexity, no privileges required, and no user interaction; with high confidentiality, integrity, and availability impact. The "no privileges required" rating reflects that the vulnerable endpoint is reachable by any registered tenant account, with no elevated role or special permission needed to trigger it. The CVSS 4.0 secondary score is 9.3 (Critical). Because exploitation crosses tenant boundaries and yields full organization compromise, a single basic account is enough to take over an entire STACKIT environment. STACKIT is an exclusively hosted service, so the blast radius depends on the provider's remediation rather than customer-side patching.
What's Vulnerable
The STACKIT IaaS API is affected, specifically the PUT servers service-accounts endpoint that fails to validate authorization when attaching service accounts to virtual machines. The supplied NVD record lists no specific affected version ranges or CPEs. As an exclusively hosted service, the vulnerability resides in STACKIT's managed infrastructure.
Patch Status
The supplied source material does not include a CISA KEV entry for this CVE, so there is no confirmation of active exploitation. The NVD record is in "Received" status and lists no explicit remediation guidance or fixed version. Because STACKIT is an exclusively hosted service, defenders should monitor the STACKIT status page and the VulnCheck advisory for the provider's mitigation and remediation updates.
Sources
- NVD, CVE-2026-39910 (CVSS 9.8, CWE-862)
- VulnCheck Advisory; STACKIT IaaS API Privilege Escalation via Service Account Attachment: https://www.vulncheck.com/advisories/stackit-iaas-api-privilege-escalation-via-service-account-attachment
- STACKIT Status Page: https://status.stackit.cloud