Main Vulnerability Database Vulnerabilities #VU128448

Improper access control in XenAPI Server - CVE-2026-23561

Published: April 29, 2026

Vulnerability identifier: #VU128448

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-23561

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
XenAPI Server

Software vendor:
Xen Project

Description

The vulnerability allows a remote user to disrupt storage management operations.

The vulnerability exists due to improper access control in VM.other_config:storage_driver_domain when modifying VM configuration. A remote user can mark a VM as the storage domain for a host storage connection and shut down that VM to disrupt storage management operations.

Shutting down the VM can cause the associated PBD to be erroneously marked as unplugged when it is not. The vulnerability is exposed only when RBAC is configured for the pool.

Remediation

Install security update from vendor's website.

External links

https://xenbits.xen.org/xsa/advisory-489.html

Improper access control in XenAPI Server - CVE-2026-23561

Description

Remediation

External links

Please verify you're human