Role-Based Access Control Issues in XAPI by Xen
CVE-2026-23559
9.4CRITICAL
What is CVE-2026-23559?
The vulnerability in XAPI involves improper Role-Based Access Control (RBAC) configurations that allow users with lower privilege roles, such as vm-admin, to perform actions intended for higher privilege roles. This flaw enables a vm-admin to manipulate virtual block devices (VBDs) and potentially turn critical files in dom0 into virtual disks (VDIs), leading to unauthorized read and/or modification of sensitive data. Additionally, vm-admins can misconfigure system domains, potentially exposing them to unauthorized operations. The issue resides in the inadequate restriction of settings that should only be accessible to high-privilege roles, creating serious security risks in Xen's environment.
Affected Version(s)
XAPI all