{"@context":"https://openvex.dev/ns/v0.2.0","@id":"https://database.harborguard.co/cve/CVE-2026-39910/vex.json","author":"HarborGuard Database","role":"Document Creator","timestamp":"2026-06-09T15:47:16.803Z","version":1,"tooling":"HarborGuard Database (https://database.harborguard.co)","statements":[{"vulnerability":{"name":"CVE-2026-39910","@id":"https://www.cve.org/CVERecord?id=CVE-2026-39910","description":"STACKIT IaaS API contains a missing authorization check vulnerability that allows authenticated, low-privileged attackers to escalate privileges to full organization compromise by attaching arbitrary service accounts to virtual machines they control. Attackers can exploit the unvalidated PUT servers service-accounts endpoint to attach high-privileged service accounts and query the Instance Metadata Service to retrieve OAuth2 tokens, bypassing tenant boundaries and gaining unauthorized control ov"},"products":[{"@id":"cpe:2.3:a:stackit:iaas_api:*:*:*:*:*:*:*:*","identifiers":{"cpe23":"cpe:2.3:a:stackit:iaas_api:*:*:*:*:*:*:*:*"}}],"status":"affected","action_statement":"Update to a fixed version: 2026-05-28.","timestamp":"2026-06-09T15:47:16.803Z"}]}