Citrix Cloud.com CloudStack, and Apache CloudStack pre-release, allows remote attackers to make arbitrary API calls by leveraging the system user account, as demonstrated by API calls to delete VMs.
http://markmail.org/thread/yfuxgymdqwg3kcg4
http://cloudstack.org/blog/185-cloudstack-configuration-vulnerability-discovered.html
http://archives.neohapsis.com/archives/bugtraq/2012-10/0062.html