CVE-2026-23559
Deferred Deferred - Pending Action

Privilege Escalation in XenServer XAPI

Vulnerability report for CVE-2026-23559, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: Xen Project

Description

[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] XAPI can configure different users with different roles, using Role Based Access Control. For more details, see: https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles The pool-admin role is fully privileged. Notably, users with this role can also SSH into the host as root. The other administrator roles are pool-operator, vm-power-admin and vm-admin, each of which are authorised to configure and manage various aspects of the system. Some settings are inadequately restricted, and can be set by a lower privilege of administrator than expected. * CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and turn arbitrary files in dom0 into VDIs (virtual disks) and give said disks to a VM they control. This is an arbitrary read and/or modify of files in dom0. * CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain and mark a VM as a system domain. System domains are ignored and left running during certain other host/pool operations, and may be hidden from view in tooling. * CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain and mark a VM as the storage domain for a particular host storage connection (PBD). Shutting down the VM can cause the PBD to be erroneously marked as unplugged when it is not. * CVE-2026-23562: Configuration of PCI passthrough is normally restricted to the pool-admin role. However one API was missing this check, allowing a vm-admin access to unintended host hardware. * CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial parameter, which should be restricted to the pool-admin role, as it can allow arbitrary dom0 file write.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
xen xapi 26.12.0
xen xapi 26.1.11

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-250 The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerabilities described in CVE-2026-23559 and related issues allow lower-privileged users (such as vm-admins) to escalate their privileges to pool-admin level, granting full system access including root SSH access. This unauthorized access can lead to arbitrary reading and modification of files in the dom0 system, which may include sensitive data.

Such unauthorized access and potential data manipulation pose significant risks to compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data. The ability for lower-privileged users to bypass intended restrictions undermines these compliance requirements.

Mitigation involves disabling users assigned to vulnerable roles and applying patches released in XAPI versions v26.12.0 and v26.1.11 to restore proper access controls.

Impact Analysis

This vulnerability can have a significant impact because it allows a vm-admin user to escalate their privileges by accessing or modifying arbitrary files in the dom0 system. Since dom0 is the privileged domain that controls the host, unauthorized access or modification of its files can lead to full system compromise, including potential root access. This could result in unauthorized control over the host system, data breaches, or disruption of services.

Executive Summary

CVE-2026-23559 is a vulnerability in XAPI, the management tool for Xen-based systems, related to Role Based Access Control (RBAC). It allows a user with the vm-admin role, which is a lower-privileged administrator role, to set the parameter VBD.other_config:backend-local. This enables the vm-admin to turn arbitrary files in the dom0 (the privileged domain in Xen) into virtual disks (VDIs) and assign those disks to a VM they control. Essentially, this means the vm-admin can read or modify arbitrary files in dom0, which should normally be restricted.

Detection Guidance

Detection of this vulnerability involves identifying if any users with the vm-admin role are able to set parameters such as VBD.other_config:backend-local, VM.other-config:is_system_domain, VM.other_config:storage_driver_domain, or VM.platform:hvm_serial. Since these settings allow privilege escalation and arbitrary file access or modification in dom0, monitoring changes to these VM configurations is critical.

You can check the roles assigned to users in XAPI and audit VM configurations for suspicious parameter changes.

Suggested commands include using the XenAPI or xapi CLI tools to list VM configurations and user roles. For example:

  • List users and their roles to identify vm-admin assignments.
  • Query VM configurations for the presence of the parameters: VBD.other_config:backend-local, VM.other-config:is_system_domain, VM.other_config:storage_driver_domain, VM.platform:hvm_serial.
  • Use commands like `xe vm-param-list uuid=<vm-uuid>` to inspect VM parameters.
  • Audit logs for changes to these parameters or unusual VM behavior such as hidden system domains or unexpected storage domain assignments.
Mitigation Strategies

Immediate mitigation steps include disabling or removing users assigned the vm-admin role who do not require it, as this role can be exploited to escalate privileges.

Apply patches released in XAPI versions v26.12.0 and v26.1.11 which address these vulnerabilities.

Restrict access to the pool-admin role and audit role assignments regularly to ensure least privilege.

Monitor and audit VM configurations for unauthorized changes to sensitive parameters.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23559. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart