Title: [Hardening] F-10: No 2FA Verification Required Before Destructive or Sensitive Operations. · Issue #13339 · apache/cloudstack · GitHub
Open Graph Title: [Hardening] F-10: No 2FA Verification Required Before Destructive or Sensitive Operations. · Issue #13339 · apache/cloudstack
X Title: [Hardening] F-10: No 2FA Verification Required Before Destructive or Sensitive Operations. · Issue #13339 · apache/cloudstack
Description: The required feature described as a wish Description: CloudStack does not require users to re-verify their identity (step-up authentication) before performing high-impact operations such as deleting or expunging resources or resetting an...
Open Graph Description: The required feature described as a wish Description: CloudStack does not require users to re-verify their identity (step-up authentication) before performing high-impact operations such as deletin...
X Description: The required feature described as a wish Description: CloudStack does not require users to re-verify their identity (step-up authentication) before performing high-impact operations such as deletin...
Opengraph URL: https://github.com/apache/cloudstack/issues/13339
X: @github
Domain: github.com
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"[Hardening] F-10: No 2FA Verification Required Before Destructive or Sensitive Operations.","articleBody":"### The required feature described as a wish\n\n**Description:** CloudStack does not require users to re-verify their identity (step-up authentication) before performing high-impact operations such as deleting or expunging resources or resetting and revealing secrets, such as API keys of other user accounts. Once a user is authenticated for a session, all actions are permitted without additional verification.\n\n**Affected Components:** Management UI\n\n**Impact:** If a valid user session is hijacked (e.g., through XSS, session token theft, or an unattended workstation), an attacker can immediately perform irreversible, destructive actions or extract sensitive credentials without any additional authentication barrier. Requiring TOTP verification as a step-up factor would block this attack vector, whereas a Static PIN would not, as it offers no time-bound or replay-resistant protection.\n\n**Steps to Reproduce:**\n- Log in to the CloudStack Management UI as a Root Admin.\n- Navigate to Compute \u003e Instances \u003e Select any instance \u003e Click on Delete.\n- Observe that the action proceeds to a confirmation dialog without any prompt for TOTP verification.\n\n**Recommended Remediation:** Implement step-up authentication for a defined list of sensitive or destructive operations. Require the user to enter their current TOTP code before executing the operation. Log all step-up authentication events for auditing.","author":{"url":"https://github.com/davift","@type":"Person","name":"davift"},"datePublished":"2026-06-04T00:58:51.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":0},"url":"https://github.com/13339/cloudstack/issues/13339"}
| route-pattern | /_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format) |
| route-controller | voltron_issues_fragments |
| route-action | issue_layout |
| fetch-nonce | v2:679a32ff-596b-bda5-9dc4-30761a146f59 |
| current-catalog-service-hash | 81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114 |
| request-id | D7A0:13657F:7E36E5:B8B014:6A4E158A |
| html-safe-nonce | f05efa7d5b8df9b1f0335688ee677770a0fef2ab108746c2a529f3d96d429da5 |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJEN0EwOjEzNjU3Rjo3RTM2RTU6QjhCMDE0OjZBNEUxNThBIiwidmlzaXRvcl9pZCI6IjMyNzM2NzYyODAxMjIxODUwOTgiLCJyZWdpb25fZWRnZSI6ImlhZCIsInJlZ2lvbl9yZW5kZXIiOiJpYWQifQ== |
| visitor-hmac | 5939d0fb3d08dd719ddd6cd9b11920a8e7ee62ebd1c646b533216bb49489d6f3 |
| hovercard-subject-tag | issue:4584840785 |
| github-keyboard-shortcuts | repository,issues,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/apache/cloudstack/13339/issue_layout |
| twitter:image | https://opengraph.githubassets.com/2a7cd166d4116838d5a61755aee6c1686b0f9cf17baf2ef543d23f644df0555e/apache/cloudstack/issues/13339 |
| twitter:card | summary_large_image |
| og:image | https://opengraph.githubassets.com/2a7cd166d4116838d5a61755aee6c1686b0f9cf17baf2ef543d23f644df0555e/apache/cloudstack/issues/13339 |
| og:image:alt | The required feature described as a wish Description: CloudStack does not require users to re-verify their identity (step-up authentication) before performing high-impact operations such as deletin... |
| og:image:width | 1200 |
| og:image:height | 600 |
| og:site_name | GitHub |
| og:type | object |
| og:author:username | davift |
| hostname | github.com |
| expected-hostname | github.com |
| None | 030096ee0db095447bfe77409d33bfac127ca7128299c58deef27c52eaa1b1f0 |
| turbo-cache-control | no-preview |
| go-import | github.com/apache/cloudstack git https://github.com/apache/cloudstack.git |
| octolytics-dimension-user_id | 47359 |
| octolytics-dimension-user_login | apache |
| octolytics-dimension-repository_id | 9759448 |
| octolytics-dimension-repository_nwo | apache/cloudstack |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 9759448 |
| octolytics-dimension-repository_network_root_nwo | apache/cloudstack |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | false |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | ea9187571e3edc5f2780f750631138669441ca50 |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width