What is GHSA-p35h-r99r-9fcm?

GHSA-p35h-r99r-9fcm is a security advisory published by GitHub Security Advisories with Critical severity. STACKIT IaaS API contains a missing authorization check vulnerability that allows authenticated,...

Which CVE IDs does GHSA-p35h-r99r-9fcm cover?

GHSA-p35h-r99r-9fcm covers the following CVE IDs: CVE-2026-39910. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-p35h-r99r-9fcm?

GHSA-p35h-r99r-9fcm has a CVSS v3 base score of 9.8, published by GitHub Security Advisories.

GHSA-p35h-r99r-9fcmCriticalCVSS 9.8

STACKIT IaaS API contains a missing authorization check vulnerability that allows authenticated,...

Vendor

GitHub Security Advisories

Published

June 8, 2026

Last Modified

June 8, 2026

🔗 CVE IDs covered (1)

CVE-2026-39910 →

📋 Description

STACKIT IaaS API contains a missing authorization check vulnerability that allows authenticated, low-privileged attackers to escalate privileges to full organization compromise by attaching arbitrary service accounts to virtual machines they control. Attackers can exploit the unvalidated PUT servers service-accounts endpoint to attach high-privileged service accounts and query the Instance Metadata Service to retrieve OAuth2 tokens, bypassing tenant boundaries and gaining unauthorized control over the entire organization environment.

🔗 References (4)

https://nvd.nist.gov/vuln/detail/CVE-2026-39910
https://status.stackit.cloud
https://www.vulncheck.com/advisories/stackit-iaas-api-privilege-escalation-via-service-account-attachment
https://github.com/advisories/GHSA-p35h-r99r-9fcm