SB2026042913 - Multiple RBAC vulnerabilities in XenAPI Server

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026042913

SB2026042913 - Multiple RBAC vulnerabilities in XenAPI Server

Published: April 29, 2026

Security Bulletin ID SB2026042913
Severity
Medium
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 20% Low 80%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Improper access control (CVE-ID: CVE-2026-23559)

The vulnerability allows a remote user to read and modify arbitrary files in dom0.

The vulnerability exists due to improper access control in VBD.other_config:backend-local handling when configuring a virtual block device. A remote user can set the backend-local option to turn arbitrary files in dom0 into virtual disks and attach them to a VM they control to read and modify arbitrary files in dom0.

The vulnerability is exposed only when RBAC is configured for the pool.


2) Improper access control (CVE-ID: CVE-2026-23560)

The vulnerability allows a remote user to escalate privileges.

The vulnerability exists due to improper access control in VM.other-config:is_system_domain when modifying VM configuration. A remote user can mark a VM as a system domain to escalate privileges.

System domains may be ignored and left running during certain host or pool operations, and may be hidden from view in tooling.


3) Improper access control (CVE-ID: CVE-2026-23561)

The vulnerability allows a remote user to disrupt storage management operations.

The vulnerability exists due to improper access control in VM.other_config:storage_driver_domain when modifying VM configuration. A remote user can mark a VM as the storage domain for a host storage connection and shut down that VM to disrupt storage management operations.

Shutting down the VM can cause the associated PBD to be erroneously marked as unplugged when it is not. The vulnerability is exposed only when RBAC is configured for the pool.


4) Improper access control (CVE-ID: CVE-2026-23562)

The vulnerability allows a remote user to access unintended host hardware.

The vulnerability exists due to improper access control in a PCI passthrough API when configuring PCI passthrough. A remote user can invoke the API without the intended pool-admin restriction to access unintended host hardware.

The vulnerability is exposed only when RBAC is configured for the pool.


5) Improper access control (CVE-ID: CVE-2026-42486)

The vulnerability allows a remote user to write arbitrary files in dom0.

The vulnerability exists due to improper access control in VM.platform:hvm_serial when modifying VM platform parameters. A remote user can set the hvm_serial parameter to write arbitrary files in dom0.

The vulnerability is exposed only when RBAC is configured for the pool.


Remediation

Install update from vendor's website.

References