Main Vulnerability Database Vulnerabilities #VU128446

Improper access control in XenAPI Server - CVE-2026-23559

Published: April 29, 2026

Vulnerability identifier: #VU128446

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-23559

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
XenAPI Server

Software vendor:
Xen Project

Description

The vulnerability allows a remote user to read and modify arbitrary files in dom0.

The vulnerability exists due to improper access control in VBD.other_config:backend-local handling when configuring a virtual block device. A remote user can set the backend-local option to turn arbitrary files in dom0 into virtual disks and attach them to a VM they control to read and modify arbitrary files in dom0.

The vulnerability is exposed only when RBAC is configured for the pool.

Remediation

Install security update from vendor's website.

External links

https://xenbits.xen.org/xsa/advisory-489.html

Improper access control in XenAPI Server - CVE-2026-23559

Description

Remediation

External links

Please verify you're human