9.4

CVE-2026-23559

Multiple RBAC issues in XAPI

[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]


XAPI can configure different users with different roles, using Role
Based Access Control.  For more details, see:

   https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles 

The pool-admin role is fully privileged.  Notably, users with this role
can also SSH into the host as root.

The other administrator roles are pool-operator, vm-power-admin and
vm-admin, each of which are authorised to configure and manage various
aspects of the system.

Some settings are inadequately restricted, and can be set by a lower
privilege of administrator than expected.

 * CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and
   turn arbitrary files in dom0 into VDIs (virtual disks) and give said
   disks to a VM they control.  This is an arbitrary read and/or modify
   of files in dom0.

 * CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain
   and mark a VM as a system domain.  System domains are ignored and
   left running during certain other host/pool operations, and may be
   hidden from view in tooling.

 * CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain
   and mark a VM as the storage domain for a particular host storage
   connection (PBD). Shutting down the VM can cause the PBD to be
   erroneously marked as unplugged when it is not.

 * CVE-2026-23562: Configuration of PCI passthrough is normally
   restricted to the pool-admin role.  However one API was missing this
   check, allowing a vm-admin access to unintended host hardware.

 * CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial
   parameter, which should be restricted to the pool-admin role, as it
   can allow arbitrary dom0 file write.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerXen
Produkt XAPI
Default Statusunaffected
Version all
Status affected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security@xen.org 9.4 0 0
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE-250 Execution with Unnecessary Privileges

The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.