Title: [Hardening] F-12: Absence of Per-Account or Per-User Source CIDR Allowlist. · Issue #13340 · apache/cloudstack · GitHub
Open Graph Title: [Hardening] F-12: Absence of Per-Account or Per-User Source CIDR Allowlist. · Issue #13340 · apache/cloudstack
X Title: [Hardening] F-12: Absence of Per-Account or Per-User Source CIDR Allowlist. · Issue #13340 · apache/cloudstack
Description: The required feature described as a wish Description: CloudStack does not provide a built-in mechanism to restrict per-account or per-user access to a defined set of source IP addresses or CIDR ranges. Any IP address that can reach the m...
Open Graph Description: The required feature described as a wish Description: CloudStack does not provide a built-in mechanism to restrict per-account or per-user access to a defined set of source IP addresses or CIDR ran...
X Description: The required feature described as a wish Description: CloudStack does not provide a built-in mechanism to restrict per-account or per-user access to a defined set of source IP addresses or CIDR ran...
Opengraph URL: https://github.com/apache/cloudstack/issues/13340
X: @github
Domain: github.com
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"[Hardening] F-12: Absence of Per-Account or Per-User Source CIDR Allowlist.","articleBody":"### The required feature described as a wish\n\n**Description:** CloudStack does not provide a built-in mechanism to restrict per-account or per-user access to a defined set of source IP addresses or CIDR ranges. Any IP address that can reach the management plane can attempt to authenticate as any account.\n\n**Affected Components:** Management UI / API\n\n**Impact:** Without source IP allowlisting, a stolen API key or compromised credential set can be used from any network location globally. There is no network-level control to limit the blast radius of a credential compromise. High-privilege service accounts are particularly at risk, as they can be accessed from unexpected locations without raising any flags.\n\n**Steps to Reproduce:**\n- This finding is not directly reproducible since it reflects the absence of a control.\n\n**Recommended Remediation:** Implement a per-account or per-user source CIDR allowlist field in the data model. Requests originating from IPs outside the defined allowlist should be rejected and logged as a security event.","author":{"url":"https://github.com/davift","@type":"Person","name":"davift"},"datePublished":"2026-06-04T01:02:57.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":0},"url":"https://github.com/13340/cloudstack/issues/13340"}
| route-pattern | /_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format) |
| route-controller | voltron_issues_fragments |
| route-action | issue_layout |
| fetch-nonce | v2:9de6b8d3-9d0e-3e51-c754-8203cd357368 |
| current-catalog-service-hash | 81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114 |
| request-id | E6B4:1E1ED:DF76D9:1340418:6A4DD118 |
| html-safe-nonce | f99436ef90a875e5f36f6d72d436d83b1c18e07b0862facfcf63711611a1b59a |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJFNkI0OjFFMUVEOkRGNzZEOToxMzQwNDE4OjZBNEREMTE4IiwidmlzaXRvcl9pZCI6IjQ3NzMyMTczMDA2NzIwMDg0NzIiLCJyZWdpb25fZWRnZSI6ImlhZCIsInJlZ2lvbl9yZW5kZXIiOiJpYWQifQ== |
| visitor-hmac | aeb7ba6c8b74010b74d5ebafb6220e6114419b330915e737a14e8918d5340f29 |
| hovercard-subject-tag | issue:4584862075 |
| github-keyboard-shortcuts | repository,issues,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/apache/cloudstack/13340/issue_layout |
| twitter:image | https://opengraph.githubassets.com/6cef57c1e8c1a37db20354fe8ee7c8e974d8494fd182325a92c5fbc8073f00e6/apache/cloudstack/issues/13340 |
| twitter:card | summary_large_image |
| og:image | https://opengraph.githubassets.com/6cef57c1e8c1a37db20354fe8ee7c8e974d8494fd182325a92c5fbc8073f00e6/apache/cloudstack/issues/13340 |
| og:image:alt | The required feature described as a wish Description: CloudStack does not provide a built-in mechanism to restrict per-account or per-user access to a defined set of source IP addresses or CIDR ran... |
| og:image:width | 1200 |
| og:image:height | 600 |
| og:site_name | GitHub |
| og:type | object |
| og:author:username | davift |
| hostname | github.com |
| expected-hostname | github.com |
| None | 06b8a6144231bf3a234f1c2e9993861e07ce98a905912b114aa386c2d7e84b33 |
| turbo-cache-control | no-preview |
| go-import | github.com/apache/cloudstack git https://github.com/apache/cloudstack.git |
| octolytics-dimension-user_id | 47359 |
| octolytics-dimension-user_login | apache |
| octolytics-dimension-repository_id | 9759448 |
| octolytics-dimension-repository_nwo | apache/cloudstack |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 9759448 |
| octolytics-dimension-repository_network_root_nwo | apache/cloudstack |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | false |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 1d344bdb7547fe6bca17a59bb2b8aac3dc9532a0 |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width