CVE-2026-23560info

Summary

by MITRE • 07/09/2026

[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]
XAPI can configure different users with different roles, using Role Based Access Control. For more details, see:

https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles

The pool-admin role is fully privileged. Notably, users with this role can also SSH into the host as root.

The other administrator roles are pool-operator, vm-power-admin and vm-admin, each of which are authorised to configure and manage various aspects of the system.

Some settings are inadequately restricted, and can be set by a lower privilege of administrator than expected.

* CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and turn arbitrary files in dom0 into VDIs (virtual disks) and give said disks to a VM they control. This is an arbitrary read and/or modify of files in dom0.

* CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain and mark a VM as a system domain. System domains are ignored and left running during certain other host/pool operations, and may be hidden from view in tooling.

* CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain and mark a VM as the storage domain for a particular host storage connection (PBD). Shutting down the VM can cause the PBD to be erroneously marked as unplugged when it is not.

* CVE-2026-23562: Configuration of PCI passthrough is normally restricted to the pool-admin role. However one API was missing this check, allowing a vm-admin access to unintended host hardware.

* CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial parameter, which should be restricted to the pool-admin role, as it can allow arbitrary dom0 file write.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/09/2026

The vulnerability landscape within XenServer's Role Based Access Control system reveals critical privilege escalation opportunities that undermine the security model designed to isolate administrative functions. These issues stem from inadequate authorization checks across multiple API endpoints, allowing lower-privileged administrator roles to perform actions typically restricted to pool-admin level users. The fundamental flaw lies in the improper enforcement of access controls where specific configuration parameters can be modified by vm-admin users despite requiring higher privileges, creating pathways for arbitrary file access and system manipulation.

The technical implementation of these vulnerabilities demonstrates a failure in the RBAC enforcement mechanism at multiple points within the XenServer architecture. CVE-2026-23559 specifically exploits a missing authorization check when setting VBD.other_config:backend-local parameters, enabling vm-admin users to convert arbitrary dom0 files into virtual disks and gain read/write access to system files through VM operations. This represents a direct violation of the principle of least privilege as defined in CWE-284, where insufficient access control mechanisms allow unauthorized data access. The vulnerability manifests through the exploitation of a configuration parameter that should be restricted but is instead accessible to users with vm-admin privileges.

CVE-2026-23560 introduces another critical oversight where vm-admin users can manipulate VM.other-config:is_system_domain parameters, effectively allowing them to mark any virtual machine as a system domain. This creates persistent operational risks as system domains are intentionally ignored during host and pool operations, potentially leaving malicious VMs running undetected while bypassing normal maintenance procedures. The attack vector demonstrates a failure in parameter validation and access control enforcement that aligns with CWE-352, representing a form of cross-site request forgery where unauthorized users can modify critical system parameters.

The storage management vulnerabilities present in CVE-2026-23561 show how improper privilege checks extend to host-level storage operations. When vm-admin users can set VM.other_config:storage_driver_domain parameters, they gain the ability to designate VMs as storage domain drivers for specific PBD connections. This manipulation can cause legitimate storage connections to be marked as unplugged during normal operations, creating denial-of-service conditions while potentially allowing unauthorized access to storage resources. The vulnerability represents a failure in the authorization framework that should prevent non-administrative users from modifying critical infrastructure components.

CVE-2026-23562 and CVE-2026-42486 expose additional gaps in the privilege enforcement model where PCI passthrough configuration and HVM serial parameters are accessible to vm-admin users. The missing authorization check for PCI passthrough operations creates a direct pathway for vm-admin users to access host hardware resources they should not be able to control, representing a significant escalation from virtual machine level access to physical system resources. This vulnerability directly correlates with ATT&CK technique T1059.001 where adversaries establish persistence by gaining access to underlying physical resources through virtualization layer manipulation.

The collective impact of these vulnerabilities creates a comprehensive privilege escalation attack surface that allows vm-admin users to achieve pool-admin level capabilities without proper authorization checks. Each vulnerability represents a separate entry point for attackers seeking to compromise the entire XenServer infrastructure, with potential consequences ranging from data exfiltration and system modification to complete denial-of-service conditions. The vulnerabilities collectively demonstrate a failure in the security architecture's defense-in-depth principles, where multiple layers of access control should have prevented unauthorized modifications to critical system components.

Organizations using XenServer systems must implement immediate mitigations including strict API access monitoring, enhanced audit logging for privileged parameter changes, and verification of current RBAC configurations. The recommended approach involves implementing additional authorization checks at the API level, ensuring that all configuration parameters requiring pool-admin privileges are properly validated before acceptance. These mitigations should align with industry best practices for privilege management as outlined in NIST SP 800-53 and ISO/IEC 27001 controls for access control management.

The exploitation of these vulnerabilities would likely follow a pattern where attackers first identify the restricted parameters available to their current role, then systematically escalate privileges by leveraging each individual vulnerability. The attack chain could begin with file read/write operations through VBD manipulation, followed by persistence establishment via system domain marking, and conclude with hardware access through PCI passthrough configuration. This multi-stage approach represents a sophisticated attack vector that demonstrates the critical importance of proper privilege separation in virtualized environments.

Security teams should implement comprehensive monitoring solutions to detect unauthorized parameter changes across all affected API endpoints, particularly focusing on VM configuration parameters that could indicate privilege escalation attempts. The vulnerabilities described here represent a significant risk to enterprise virtualization environments and require immediate attention through patching, access control review, and continuous monitoring of administrative activities. The severity of these issues underscores the importance of maintaining robust security controls in virtualized infrastructure where unauthorized access can lead to complete system compromise across entire pool environments.

Disclosure

07/09/2026

Moderation

in review

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!