Main Vulnerability Database Vulnerabilities #VU128448

Improper access control in XenAPI Server - CVE-2026-23561

Published: April 29, 2026

Vulnerability identifier: #VU128448

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-23561

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Xen Project

Affected software:
XenAPI Server

Detailed vulnerability description

The vulnerability allows a remote user to disrupt storage management operations.

The vulnerability exists due to improper access control in VM.other_config:storage_driver_domain when modifying VM configuration. A remote user can mark a VM as the storage domain for a host storage connection and shut down that VM to disrupt storage management operations.

Shutting down the VM can cause the associated PBD to be erroneously marked as unplugged when it is not. The vulnerability is exposed only when RBAC is configured for the pool.

How to mitigate CVE-2026-23561

Install security update from vendor's website.

Sources

https://xenbits.xen.org/xsa/advisory-489.html

Improper access control in XenAPI Server - CVE-2026-23561

Detailed vulnerability description

How to mitigate CVE-2026-23561

Sources

Please verify you're human