Main Vulnerability Database Vulnerabilities #VU128447

Improper access control in XenAPI Server - CVE-2026-23560

Published: April 29, 2026

Vulnerability identifier: #VU128447

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-23560

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
XenAPI Server

Software vendor:
Xen Project

Description

The vulnerability allows a remote user to escalate privileges.

The vulnerability exists due to improper access control in VM.other-config:is_system_domain when modifying VM configuration. A remote user can mark a VM as a system domain to escalate privileges.

System domains may be ignored and left running during certain host or pool operations, and may be hidden from view in tooling.

Remediation

Install security update from vendor's website.

External links

https://xenbits.xen.org/xsa/advisory-489.html

Improper access control in XenAPI Server - CVE-2026-23560

Description

Remediation

External links

Please verify you're human