The ovirt-engine API and administration web portal exposed Power Management credentials including cleartext passwords to Host Administrators. A Host Administrator could use this flaw to gain access to the power management systems of hosts they control.