CVE-2026-23562
Deferred Deferred - Pending Action

Privilege Escalation in XenServer XAPI

Vulnerability report for CVE-2026-23562, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: Xen Project

Description

[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] XAPI can configure different users with different roles, using Role Based Access Control. For more details, see: https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles The pool-admin role is fully privileged. Notably, users with this role can also SSH into the host as root. The other administrator roles are pool-operator, vm-power-admin and vm-admin, each of which are authorised to configure and manage various aspects of the system. Some settings are inadequately restricted, and can be set by a lower privilege of administrator than expected. * CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and turn arbitrary files in dom0 into VDIs (virtual disks) and give said disks to a VM they control. This is an arbitrary read and/or modify of files in dom0. * CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain and mark a VM as a system domain. System domains are ignored and left running during certain other host/pool operations, and may be hidden from view in tooling. * CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain and mark a VM as the storage domain for a particular host storage connection (PBD). Shutting down the VM can cause the PBD to be erroneously marked as unplugged when it is not. * CVE-2026-23562: Configuration of PCI passthrough is normally restricted to the pool-admin role. However one API was missing this check, allowing a vm-admin access to unintended host hardware. * CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial parameter, which should be restricted to the pool-admin role, as it can allow arbitrary dom0 file write.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
xen server *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-250 The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-23562 is a vulnerability in the XAPI system where the configuration of PCI passthrough, which should be restricted to the highly privileged pool-admin role, is accessible through one API without proper role checks. This allows a vm-admin, a lower-privileged administrator role, to gain unintended access to host hardware.

Compliance Impact

The vulnerabilities in XAPI allow lower-privileged administrators to escalate their privileges to pool-admin level, granting full system access including root SSH access. This unauthorized privilege escalation and potential arbitrary file read/write in the host system could lead to unauthorized access or modification of sensitive data.

Such unauthorized access and privilege escalation can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data.

Mitigation involves disabling users assigned the vulnerable roles and applying patches released in XAPI versions v26.12.0 and v26.1.11 to prevent these privilege escalations.

Detection Guidance

Detection of CVE-2026-23562 involves identifying if a vm-admin user has been able to configure PCI passthrough, which should normally be restricted to the pool-admin role.

Since the vulnerability is related to Role Based Access Control (RBAC) misconfigurations in XAPI, you can check the roles assigned to users and audit any PCI passthrough configurations made by vm-admin roles.

Suggested commands include:

  • Review user roles in XAPI to identify vm-admin users: use XenServer or XAPI management tools or APIs to list users and their roles.
  • Check PCI passthrough device assignments to VMs to see if any were configured by vm-admin users instead of pool-admin.
  • Audit XAPI logs for API calls related to PCI passthrough configuration to detect unauthorized changes.

Specific command examples are not provided in the available resources.

Impact Analysis

This vulnerability can allow a vm-admin to access host hardware that they should not be able to control. Since PCI passthrough involves direct hardware access, this could lead to unauthorized use or manipulation of physical devices on the host, potentially compromising the security and stability of the system.

Mitigation Strategies

The vulnerability CVE-2026-23562 allows a vm-admin role to configure PCI passthrough, which should normally be restricted to the pool-admin role.

Immediate mitigation steps include ensuring that only trusted users have the pool-admin role and reviewing role assignments to prevent vm-admin users from accessing unintended host hardware.

Additionally, monitoring and restricting API access related to PCI passthrough configuration can help prevent exploitation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23562. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart