This is a security release that fixes the following on top of the 4.22.0.1 release:
CVE-2025-66170 Any user can list backups that they should not have access to. (severity 'Low')
CVE-2025-66171 Any user can create a new VM from backups they should not have access to (severity 'Important')
CVE-2025-66172 Any user can attach a volume in their VMs from backups they should not have access to (severity 'Important')
CVE-2025-66467 MinIO policy remains intact on bucket deletion (severity 'Important')
CVE-2025-69233 Domain/account resources limits not honored (severity 'Moderate')
CVE-2026-25077 Unauthenticated Command Injection in Direct Download Templates (severity 'Important')
CVE-2026-25199 Proxmox Extension Allows Unauthorized Cross-Tenant Instance Access(severity 'Moderate')
Advisory: https://cloudstack.apache.org/blog/security-release-advisory-4.20.3.0-4.22.0.1/
Release notes: https://docs.cloudstack.apache.org/en/4.22.0.1/releasenotes
Installation docs: https://docs.cloudstack.apache.org/en/4.22.0.1/installguide
Upgrade docs: https://docs.cloudstack.apache.org/en/4.22.0.1/upgrading
Admin docs: https://docs.cloudstack.apache.org/en/4.22.0.1/adminguide
API docs: https://cloudstack.apache.org/api/apidocs-4.22