CVE-2026-51083 in Virtual Environmentinfo

Summary

by MITRE • 07/17/2026

Incorrect access control in Proxmox Virtual Environment (PVE) 9.x qemu-server before 9.1.8 and 8.x before 8.4.8 allows users within limited privileges to obtain hashed passwords via the cloudinit/dump API.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/17/2026

This vulnerability represents a critical access control flaw in Proxmox Virtual Environment that undermines the security model of virtualized infrastructure management. The issue affects versions prior to 9.1.8 for the 9.x series and 8.4.8 for the 8.x series, where unauthorized users with limited privileges can exploit the cloudinit/dump API endpoint to extract hashed passwords from the system. This represents a direct violation of the principle of least privilege and demonstrates inadequate authorization controls within the qemu-server component that manages virtual machine operations.

The technical implementation of this vulnerability stems from insufficient input validation and access control enforcement within the cloudinit/dump API handler. When legitimate users attempt to access this endpoint, the system fails to properly verify whether the requesting user possesses adequate permissions to view sensitive authentication data. This flaw allows attackers with minimal privileges to bypass normal security boundaries and obtain password hashes that could potentially be used for credential stuffing attacks or further exploitation within the virtual environment. The vulnerability is categorized under CWE-284 which specifically addresses improper access control mechanisms, making it a direct implementation of weak authorization controls.

The operational impact of this vulnerability extends beyond simple information disclosure, as hashed passwords provide attackers with valuable credentials that can be targeted through various attack vectors. In virtualized environments where Proxmox serves as the primary management platform, unauthorized access to password hashes could enable attackers to escalate privileges within the virtual infrastructure or conduct lateral movement attacks against other systems that share authentication credentials. The cloudinit functionality is commonly used for automated virtual machine provisioning and configuration, making this endpoint a high-value target for malicious actors seeking to compromise the entire virtualized environment.

Mitigation strategies should focus on immediate patch deployment to versions 9.1.8 or 8.4.8 where the access control restrictions have been properly implemented. Organizations should also implement network segmentation to limit access to the qemu-server API endpoints and enforce strict monitoring of API access patterns for unusual activity. Security teams should conduct comprehensive audits of all API endpoints within virtualization platforms, particularly those handling authentication data, to identify similar access control vulnerabilities. Additionally, implementing multi-factor authentication and regular privilege reviews can help reduce the impact of such exposures. This vulnerability aligns with attack techniques documented in the ATT&CK framework under credential access and privilege escalation categories, emphasizing the need for robust API security controls in virtualized environments.

Responsible

MITRE

Reservation

06/07/2026

Disclosure

07/17/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!