CVE-2026-23561info

Summary

by MITRE • 07/09/2026

[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]
XAPI can configure different users with different roles, using Role Based Access Control. For more details, see:

https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles

The pool-admin role is fully privileged. Notably, users with this role can also SSH into the host as root.

The other administrator roles are pool-operator, vm-power-admin and vm-admin, each of which are authorised to configure and manage various aspects of the system.

Some settings are inadequately restricted, and can be set by a lower privilege of administrator than expected.

* CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and turn arbitrary files in dom0 into VDIs (virtual disks) and give said disks to a VM they control. This is an arbitrary read and/or modify of files in dom0.

* CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain and mark a VM as a system domain. System domains are ignored and left running during certain other host/pool operations, and may be hidden from view in tooling.

* CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain and mark a VM as the storage domain for a particular host storage connection (PBD). Shutting down the VM can cause the PBD to be erroneously marked as unplugged when it is not.

* CVE-2026-23562: Configuration of PCI passthrough is normally restricted to the pool-admin role. However one API was missing this check, allowing a vm-admin access to unintended host hardware.

* CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial parameter, which should be restricted to the pool-admin role, as it can allow arbitrary dom0 file write.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/09/2026

The vulnerability landscape within XenServer's Role Based Access Control implementation reveals significant privilege escalation risks through inadequate authorization checks across multiple administrative roles. These issues stem from insufficient enforcement of access controls that should restrict certain system-level operations to the pool-admin role while allowing lower privileged users to perform actions beyond their designated permissions. The fundamental flaw lies in the inconsistent application of security boundaries where vm-admin level privileges are permitted to execute operations that should be restricted to higher privilege tiers, creating opportunities for unauthorized access to critical system resources and potential compromise of the entire virtualization environment.

The technical execution of these vulnerabilities demonstrates how seemingly minor configuration parameters can enable substantial system exploitation. CVE-2026-23559 specifically targets the Virtual Block Device (VBD) configuration where vm-admin users can manipulate the VBD.other_config:backend-local parameter to convert arbitrary dom0 files into virtual disks, enabling both read and write access to critical system files through VM guest execution. This represents a classic arbitrary file read/write vulnerability that falls under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-73 (External Control of File Name or Path). CVE-2026-23560 exposes the ability for vm-admin users to set VM.other-config:is_system_domain, allowing them to mark any virtual machine as a system domain that can evade normal host operations and remain hidden from standard management interfaces. This creates a persistent backdoor mechanism that aligns with ATT&CK technique T1564.001 (Hidden Files and Directories) and represents a privilege escalation vector through system domain manipulation.

CVE-2026-23561 demonstrates how vm-admin users can manipulate VM.other_config:storage_driver_domain to designate VMs as storage domains for specific host storage connections, potentially causing legitimate PBD connections to be incorrectly marked as unplugged during VM shutdown operations. This represents a denial of service vulnerability that impacts system stability and data availability through improper configuration management. The missing authorization check for PCI passthrough configuration in CVE-2026-23562 allows vm-admin users to access host hardware directly, violating the principle of least privilege and potentially enabling direct hardware exploitation or bypass of security controls that should be restricted to pool-admin level access. This aligns with CWE-276 (Improper Ownership) and ATT&CK technique T1068 (Exploitation for Privilege Escalation). CVE-2026-42486 presents another critical oversight where vm-admin users can set the VM.platform:hvm_serial parameter, which should be restricted to pool-admin level access due to its potential for arbitrary dom0 file writes. This vulnerability directly enables a path to system compromise through file system manipulation and represents an improper privilege level access control issue under CWE-284 (Improper Access Control).

The operational impact of these vulnerabilities extends beyond individual system compromise to threaten entire virtualization infrastructures. When vm-admin users can manipulate system domains, perform arbitrary file operations in dom0, or gain direct hardware access through PCI passthrough, they effectively bypass the intended security model that separates different administrative tiers. This creates a scenario where a compromised lower privilege account can escalate to full system control, potentially enabling data exfiltration, system modification, or complete infrastructure compromise. The vulnerabilities collectively represent a breakdown in the core security architecture of XenServer's RBAC implementation, undermining trust in the administrative access controls and creating persistent attack vectors that could remain undetected for extended periods. Organizations relying on XenServer virtualization platforms face significant risk of unauthorized access to critical system resources and potential complete infrastructure compromise through these privilege escalation pathways.

Mitigation strategies should focus on implementing strict enforcement of authorization checks across all API endpoints, ensuring that configuration parameters requiring elevated privileges are properly validated against user roles before execution. System administrators should immediately restrict administrative access to the pool-admin role and implement additional monitoring for unauthorized configuration changes in critical system parameters. The affected API endpoints must be patched to enforce proper access control validation, with all operations requiring specific privilege levels being verified against current user credentials and roles. Regular security audits should validate that RBAC policies are properly enforced and that no unauthorized privilege escalation pathways exist through configuration management interfaces. Additionally, monitoring should be implemented to detect suspicious activities such as system domain marking, arbitrary file operations in dom0, or unexpected PCI passthrough configurations that could indicate exploitation attempts. These measures align with industry standards for access control enforcement and help prevent the types of privilege escalation attacks that these vulnerabilities enable.

Disclosure

07/09/2026

Moderation

in review

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!