Apache CloudStack 4.22.0.0 LTS release

Release notes: https://docs.cloudstack.apache.org/en/4.22.0.0/releasenotes
Installation docs: https://docs.cloudstack.apache.org/en/4.22.0.0/installguide
Upgrade docs: https://docs.cloudstack.apache.org/en/4.22.0.0/upgrading
Admin docs: https://docs.cloudstack.apache.org/en/4.22.0.0/adminguide
API docs: https://cloudstack.apache.org/api/apidocs-4.22

Apache CloudStack 4.20 maintenance release

Release notes: https://docs.cloudstack.apache.org/en/4.20.2.0/releasenotes
Installation docs: https://docs.cloudstack.apache.org/en/4.20.2.0/installguide
Upgrade docs: https://docs.cloudstack.apache.org/en/4.20.2.0/upgrading
Admin docs: https://docs.cloudstack.apache.org/en/4.20.2.0/adminguide
API docs: https://cloudstack.apache.org/api/apidocs-4.20

Apache CloudStack Regular Release 4.21.0.0

Release notes: https://docs.cloudstack.apache.org/en/4.21.0.0/releasenotes
Installation docs: https://docs.cloudstack.apache.org/en/4.21.0.0/installguide
Upgrade docs: https://docs.cloudstack.apache.org/en/4.21.0.0/upgrading
Admin docs: https://docs.cloudstack.apache.org/en/4.21.0.0/adminguide
API docs: https://cloudstack.apache.org/api/apidocs-4.21

Apache CloudStack 4.20 maintenance release

Release notes: https://docs.cloudstack.apache.org/en/4.20.1.0/releasenotes
Installation docs: https://docs.cloudstack.apache.org/en/4.20.1.0/installguide
Upgrade docs: https://docs.cloudstack.apache.org/en/4.20.1.0/upgrading
Admin docs: https://docs.cloudstack.apache.org/en/4.20.1.0/adminguide
API docs: https://cloudstack.apache.org/api/apidocs-4.20

This LTS release includes fixes for the following security issues:

• CVE-2025-26521: CKS cluster in project exposes user API keys
• CVE-2025-30675: Unauthorised template/ISO list access to the domain/resource admins
• CVE-2025-47713: Domain Admin can reset Admin password in Root Domain
• CVE-2025-47849: Insecure access of user's API/Secret Keys in the same domain
• CVE-2025-22829: Unauthorised access to dedicated resources in Quota plugin

Advisory: https://cloudstack.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0

Apache CloudStack 4.19 maintenance release

Release notes: https://docs.cloudstack.apache.org/en/4.19.3.0/releasenotes
Installation docs: https://docs.cloudstack.apache.org/en/4.19.3.0/installguide
Upgrade docs: https://docs.cloudstack.apache.org/en/4.19.3.0/upgrading
Admin docs: https://docs.cloudstack.apache.org/en/4.19.3.0/adminguide
API docs: https://cloudstack.apache.org/api/apidocs-4.19

This LTS release includes fixes for the following security issues:

• CVE-2025-26521: CKS cluster in project exposes user API keys
• CVE-2025-30675: Unauthorised template/ISO list access to the domain/resource admins
• CVE-2025-47713: Domain Admin can reset Admin password in Root Domain
• CVE-2025-47849: Insecure access of user's API/Secret Keys in the same domain

Advisory: https://cloudstack.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0

Apache CloudStack 4.19 maintenance release

Release notes: https://docs.cloudstack.apache.org/en/4.19.2.0/releasenotes
Installation docs: https://docs.cloudstack.apache.org/en/4.19.2.0/installguide
Upgrade docs: https://docs.cloudstack.apache.org/en/4.19.2.0/upgrading
Admin docs: https://docs.cloudstack.apache.org/en/4.19.2.0/adminguide
API docs: https://cloudstack.apache.org/api/apidocs-4.19

Release notes: https://docs.cloudstack.apache.org/en/4.20.0.0/releasenotes
Installation docs: https://docs.cloudstack.apache.org/en/4.20.0.0/installguide
Upgrade docs: https://docs.cloudstack.apache.org/en/4.20.0.0/upgrading
Admin docs: https://docs.cloudstack.apache.org/en/4.20.0.0/adminguide
API docs: https://cloudstack.apache.org/api/apidocs-4.20

This is a security release that fixes the following on top of the 4.19.1.3 release:

CVE-2024-50386: Directly downloaded templates can be used to abuse KVM-based infrastructure

Advisory: https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.5-4.19.1.3

Release notes: https://docs.cloudstack.apache.org/en/4.19.1.3/releasenotes
Installation docs: https://docs.cloudstack.apache.org/en/4.19.1.3/installguide
Upgrade docs: https://docs.cloudstack.apache.org/en/4.19.1.3/upgrading
Admin docs: https://docs.cloudstack.apache.org/en/4.19.1.3/adminguide
API docs: https://cloudstack.apache.org/api/apidocs-4.19

This is a security release that fixes the following on top of the 4.18.2.4 release:

CVE-2024-50386 Directly downloaded templates can be used to abuse KVM-based infrastructure

Advisory: https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.5-4.19.1.3

Release notes: https://docs.cloudstack.apache.org/en/4.18.2.5/releasenotes
Installation docs: https://docs.cloudstack.apache.org/en/4.18.2.5/installguide
Upgrade docs: https://docs.cloudstack.apache.org/en/4.18.2.5/upgrading
Admin docs: https://docs.cloudstack.apache.org/en/4.18.2.5/adminguide
API docs: https://cloudstack.apache.org/api/apidocs-4.18

This is a security release that fixes the following on top of the 4.19.1.1 release:

• CVE-2024-45219: Uploaded and registered templates and volumes can be used to abuse KVM-based infrastructure
• CVE-2024-45461: Access checks not enforced in Quota
• CVE-2024-45462: Incomplete session invalidation on web interface logout
• CVE-2024-45693: Request origin validation bypass makes account takeover possible

Advisory: https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2

Release notes: https://docs.cloudstack.apache.org/en/4.19.1.2/releasenotes
Installation docs: https://docs.cloudstack.apache.org/en/4.19.1.2/installguide
Upgrade docs: https://docs.cloudstack.apache.org/en/4.19.1.2/upgrading
Admin docs: https://docs.cloudstack.apache.org/en/4.19.1.2/adminguide
API docs: https://cloudstack.apache.org/api/apidocs-4.19