CVE-2026-23562info

Summary

by MITRE • 07/09/2026

[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]
XAPI can configure different users with different roles, using Role Based Access Control. For more details, see:

https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles

The pool-admin role is fully privileged. Notably, users with this role can also SSH into the host as root.

The other administrator roles are pool-operator, vm-power-admin and vm-admin, each of which are authorised to configure and manage various aspects of the system.

Some settings are inadequately restricted, and can be set by a lower privilege of administrator than expected.

* CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and turn arbitrary files in dom0 into VDIs (virtual disks) and give said disks to a VM they control. This is an arbitrary read and/or modify of files in dom0.

* CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain and mark a VM as a system domain. System domains are ignored and left running during certain other host/pool operations, and may be hidden from view in tooling.

* CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain and mark a VM as the storage domain for a particular host storage connection (PBD). Shutting down the VM can cause the PBD to be erroneously marked as unplugged when it is not.

* CVE-2026-23562: Configuration of PCI passthrough is normally restricted to the pool-admin role. However one API was missing this check, allowing a vm-admin access to unintended host hardware.

* CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial parameter, which should be restricted to the pool-admin role, as it can allow arbitrary dom0 file write.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/09/2026

The vulnerabilities described in this XAPI RBAC implementation represent a series of privilege escalation and unauthorized access flaws that undermine the security model of XenServer environments. These issues stem from insufficient enforcement of role-based access controls where lower-privilege administrator roles are able to perform actions that should be restricted to higher-privileged pool-admin users. The vulnerabilities collectively demonstrate a failure in access control enforcement that could allow malicious actors with vm-admin privileges to gain unauthorized access to system resources and potentially escalate their privileges within the virtualized environment.

The core technical flaw involves improper authorization checks within the XAPI interface where specific configuration parameters can be modified by users with vm-admin privileges when they should require pool-admin level permissions. This represents a direct violation of the principle of least privilege and demonstrates inadequate input validation and access control enforcement mechanisms. The vulnerabilities span multiple attack vectors including arbitrary file system access, system domain manipulation, storage management disruption, and hardware passthrough control. Each issue allows for unauthorized modification of critical system parameters that can lead to persistent access or operational disruption.

From an operational impact perspective, these vulnerabilities create significant security risks for XenServer deployments where vm-admin users could potentially escalate their privileges and gain root access to dom0 environments. The ability to manipulate VBD configurations allows for arbitrary file read/write operations within the hypervisor domain, while setting system domain flags can provide persistent hiding of malicious VMs from management interfaces. The storage driver domain manipulation can cause legitimate storage connections to be incorrectly marked as unplugged, leading to service disruption and potential data loss. Additionally, PCI passthrough configuration access enables direct hardware access that could compromise the integrity of the underlying host system. The hvm_serial parameter manipulation further exacerbates these issues by allowing unauthorized file write operations in dom0.

These vulnerabilities align with CWE categories including CWE-284 (Improper Access Control) and CWE-732 (Incorrect Permission Assignment for Critical Resource), reflecting fundamental flaws in authorization enforcement mechanisms. The attack patterns correspond to ATT&CK techniques such as privilege escalation through access control manipulation and persistence via hidden system domains. The specific implementation issues indicate that API endpoints lack proper authentication checks for sensitive configuration parameters, particularly those related to system-level operations and hardware access. Organizations should immediately implement mitigations including role restriction enforcement, parameter validation, and monitoring of unauthorized configuration changes. The recommended approach involves enforcing strict RBAC policies, conducting privilege audits, and implementing automated detection mechanisms to identify unauthorized modifications to critical system parameters across all administrator roles within XenServer environments.

The cumulative effect of these vulnerabilities demonstrates a systemic weakness in the access control implementation that affects multiple security domains including file system integrity, storage management, hardware isolation, and operational visibility. The presence of multiple attack vectors increases the risk surface and provides attackers with several pathways to achieve their objectives, whether through direct privilege escalation or indirect exploitation of interconnected system components. This multi-vector vulnerability class highlights the importance of comprehensive access control validation and the need for robust security testing of privileged API endpoints in virtualization platforms.

Disclosure

07/09/2026

Moderation

in review

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!