Role-Based Access Control Vulnerability in XenServer by Citrix
CVE-2026-42486
9.4CRITICAL
What is CVE-2026-42486?
A significant security vulnerability exists in XenServer, where certain configurations intended for exclusive pool-admin access can inadvertently be manipulated by lower-privileged vm-admin users. These misconfigurations allow unauthorized alterations in the system, leading to potential exploitation of critical assets within the environment. Specifically, the vm-admin role can unrightfully change the VM.platform:hvm_serial parameter, which opens up pathways for arbitrary file writes in the dom0 domain, compromising the integrity of the system. Additional issues include the ability to create virtual disks from arbitrary files and mark VMs with elevated privileges, thus enabling persistent risks to the server's security posture.
Affected Version(s)
XAPI all