[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]
XAPI can configure different users with different roles, using Role
Based Access Control. For more details, see:
https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles
The pool-admin role is fully privileged. Notably, users with this role
can also SSH into the host as root.
The other administrator roles are pool-operator, vm-power-admin and
vm-admin, each of which are authorised to configure and manage various
aspects of the system.
Some settings are inadequately restricted, and can be set by a lower
privilege of administrator than expected.
* CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and
turn arbitrary files in dom0 into VDIs (virtual disks) and give said
disks to a VM they control. This is an arbitrary read and/or modify
of files in dom0.
* CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain
and mark a VM as a system domain. System domains are ignored and
left running during certain other host/pool operations, and may be
hidden from view in tooling.
* CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain
and mark a VM as the storage domain for a particular host storage
connection (PBD). Shutting down the VM can cause the PBD to be
erroneously marked as unplugged when it is not.
* CVE-2026-23562: Configuration of PCI passthrough is normally
restricted to the pool-admin role. However one API was missing this
check, allowing a vm-admin access to unintended host hardware.
* CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial
parameter, which should be restricted to the pool-admin role, as it
can allow arbitrary dom0 file write.
Security readout for executives and security teams
Plain-English summary
CVE-2026-23562 is an authorization failure in Xen XAPI RBAC. A lower-privileged vm-admin could access PCI passthrough configuration that should be limited to pool-admins, potentially exposing host hardware to unintended control.
Executive priority
Treat this as urgent for Xen/XAPI environments with delegated administrators. The risk is privilege boundary failure between VM administration and host hardware control, but the prompt lacks evidence of internet-scale exploitation.
Technical view
XAPI incorrectly omits a pool-admin authorization check on one PCI passthrough API. The issue is classified as CWE-250 and has CVSS 4.0 score 9.4. The prompt does not provide fixed versions, patch details, or affected product editions beyond Xen XAPI.
Likely exposure
Exposure is most relevant where Xen XAPI RBAC is enabled and vm-admin users exist. Systems using PCI passthrough or delegating VM administration to separate teams deserve priority review.
Exploitation context
The provided sources do not show KEV listing or confirmed active exploitation. Exploitation requires an actor able to use vm-admin-level XAPI access; the impact is unintended access to host hardware through PCI passthrough configuration.
Researcher notes
The CVE is part of a broader XAPI RBAC advisory covering several over-permissive settings. For CVE-2026-23562, focus on the missing authorization check around PCI passthrough APIs and role separation between vm-admin and pool-admin.
Mitigation direction
Review Xen XSA-489 and apply vendor-recommended updates or mitigations.
Limit vm-admin assignments to trusted administrators until fixed.
Review PCI passthrough configuration for unauthorized or unexpected device exposure.
Audit RBAC role assignments and remove unnecessary delegated admin rights.
Monitor XAPI management activity for PCI passthrough changes.
Validation and detection
Inventory Xen XAPI deployments and identify systems using RBAC.
List users or integrations with vm-admin permissions.
Review management logs for recent PCI passthrough configuration changes.
Compare installed versions against Xen XSA-489 guidance when available.
Confirm vm-admin accounts cannot configure PCI passthrough after remediation.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-250: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
1CVSS vectors
3Timeline events
1ADP providers
2Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: total
CVSS vector scores
1 official score
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-250 · source CWE mapping
Execution with Unnecessary Privileges
Execution with Unnecessary Privileges represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.