CVE-2026-23561
Deferred Deferred - Pending Action

Privilege Escalation in XenServer XAPI

Vulnerability report for CVE-2026-23561, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: Xen Project

Description

[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] XAPI can configure different users with different roles, using Role Based Access Control. For more details, see: https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles The pool-admin role is fully privileged. Notably, users with this role can also SSH into the host as root. The other administrator roles are pool-operator, vm-power-admin and vm-admin, each of which are authorised to configure and manage various aspects of the system. Some settings are inadequately restricted, and can be set by a lower privilege of administrator than expected. * CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and turn arbitrary files in dom0 into VDIs (virtual disks) and give said disks to a VM they control. This is an arbitrary read and/or modify of files in dom0. * CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain and mark a VM as a system domain. System domains are ignored and left running during certain other host/pool operations, and may be hidden from view in tooling. * CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain and mark a VM as the storage domain for a particular host storage connection (PBD). Shutting down the VM can cause the PBD to be erroneously marked as unplugged when it is not. * CVE-2026-23562: Configuration of PCI passthrough is normally restricted to the pool-admin role. However one API was missing this check, allowing a vm-admin access to unintended host hardware. * CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial parameter, which should be restricted to the pool-admin role, as it can allow arbitrary dom0 file write.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
xen server *
xen xapi 26.12.0
xen xapi 26.1.11
xen xapi *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-250 The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Detection Guidance

Detection of this vulnerability involves identifying if any users with the vm-admin role are able to set VM.other_config:storage_driver_domain or perform other unauthorized configurations that should be restricted to higher privileged roles.

Since the vulnerability is related to Role Based Access Control (RBAC) misconfigurations in XAPI, you can check the roles assigned to users and audit VM configurations for suspicious settings.

  • List users and their roles in XAPI to identify any vm-admin users: use the XAPI CLI or API commands to query user roles.
  • Check VM.other_config parameters for the presence of 'storage_driver_domain' set by vm-admin users.
  • Audit logs for any changes to VM.other_config fields related to storage domains or other sensitive settings.

Specific commands depend on your environment, but examples include using 'xe' CLI commands to list VMs and their configurations, and querying user roles via XAPI management tools.

Mitigation Strategies

Immediate mitigation involves restricting or disabling users assigned the vm-admin role or other lower privileged administrator roles that can exploit these vulnerabilities.

Apply patches released in XAPI versions v26.12.0 and v26.1.11, which address these RBAC vulnerabilities.

  • Review and tighten Role Based Access Control policies to ensure only trusted users have privileged roles.
  • Monitor and audit VM configurations and user actions to detect unauthorized changes.

By limiting the assignment of vulnerable roles and applying the official patches, you can prevent privilege escalation and unauthorized configuration changes.

Executive Summary

CVE-2026-23561 is a vulnerability in the XAPI system where a user with the vm-admin role can set the VM.other_config:storage_driver_domain parameter to mark a virtual machine (VM) as the storage domain for a particular host storage connection (PBD).

Because of this, shutting down the VM can cause the PBD to be incorrectly marked as unplugged, even though it is still connected.

Impact Analysis

This vulnerability can lead to incorrect system state reporting, where storage connections (PBDs) are falsely marked as unplugged.

Such false status can disrupt storage availability and management, potentially causing operational issues or downtime for virtual machines relying on that storage.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23561. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart