Role-Based Access Control Issues in XAPI by Xen
CVE-2026-23559

9.4CRITICAL

Key Information:

Status
Vendor
CVE Published:
9 July 2026

What is CVE-2026-23559?

The vulnerability in XAPI involves improper Role-Based Access Control (RBAC) configurations that allow users with lower privilege roles, such as vm-admin, to perform actions intended for higher privilege roles. This flaw enables a vm-admin to manipulate virtual block devices (VBDs) and potentially turn critical files in dom0 into virtual disks (VDIs), leading to unauthorized read and/or modification of sensitive data. Additionally, vm-admins can misconfigure system domains, potentially exposing them to unauthorized operations. The issue resides in the inadequate restriction of settings that should only be accessible to high-privilege roles, creating serious security risks in Xen's environment.

Affected Version(s)

XAPI all

References

CVSS V4

Score:
9.4
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.