Main Vulnerability Database Vulnerabilities #VU128447

Improper access control in XenAPI Server - CVE-2026-23560

Published: April 29, 2026

Vulnerability identifier: #VU128447

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-23560

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Xen Project

Affected software:
XenAPI Server

Detailed vulnerability description

The vulnerability allows a remote user to escalate privileges.

The vulnerability exists due to improper access control in VM.other-config:is_system_domain when modifying VM configuration. A remote user can mark a VM as a system domain to escalate privileges.

System domains may be ignored and left running during certain host or pool operations, and may be hidden from view in tooling.

How to mitigate CVE-2026-23560

Install security update from vendor's website.

Sources

https://xenbits.xen.org/xsa/advisory-489.html

Improper access control in XenAPI Server - CVE-2026-23560

Detailed vulnerability description

How to mitigate CVE-2026-23560

Sources

Please verify you're human