Role-Based Access Control Vulnerability in XenServer by Citrix
CVE-2026-42486

9.4CRITICAL

Key Information:

Status
Vendor
CVE Published:
9 July 2026

What is CVE-2026-42486?

A significant security vulnerability exists in XenServer, where certain configurations intended for exclusive pool-admin access can inadvertently be manipulated by lower-privileged vm-admin users. These misconfigurations allow unauthorized alterations in the system, leading to potential exploitation of critical assets within the environment. Specifically, the vm-admin role can unrightfully change the VM.platform:hvm_serial parameter, which opens up pathways for arbitrary file writes in the dom0 domain, compromising the integrity of the system. Additional issues include the ability to create virtual disks from arbitrary files and mark VMs with elevated privileges, thus enabling persistent risks to the server's security posture.

Affected Version(s)

XAPI all

References

CVSS V4

Score:
9.4
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.