-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2026-23559,CVE-2026-23560,CVE-2026-23561,CVE-2026-23562,CVE-2026-42486 / XSA-489 Multiple RBAC issues in XAPI ISSUE DESCRIPTION ================= XAPI can configure different users with different roles, using Role Based Access Control. For more details, see: https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles The pool-admin role is fully privileged. Notably, users with this role can also SSH into the host as root. The other administrator roles are pool-operator, vm-power-admin and vm-admin, each of which are authorised to configure and manage various aspects of the system. Some settings are inadequately restricted, and can be set by a lower privilege of administrator than expected. * CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and turn arbitrary files in dom0 into VDIs (virtual disks) and give said disks to a VM they control. This is an arbitrary read and/or modify of files in dom0. * CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain and mark a VM as a system domain. System domains are ignored and left running during certain other host/pool operations, and may be hidden from view in tooling. * CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain and mark a VM as the storage domain for a particular host storage connection (PBD). Shutting down the VM can cause the PBD to be erroneously marked as unplugged when it is not. * CVE-2026-23562: Configuration of PCI passthrough is normally restricted to the pool-admin role. However one API was missing this check, allowing a vm-admin access to unintended host hardware. * CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial parameter, which should be restricted to the pool-admin role, as it can allow arbitrary dom0 file write. IMPACT ====== An authenticated user already granted one of pool-operator, vm-power-admin or vm-admin can escalate their privilege to pool-admin. VULNERABLE SYSTEMS ================== Systems running all versions of XAPI are vulnerable. The vulnerability is only exposed if RBAC is configured for the pool, and certain users are assigned the not-fully-privileged administrator roles. MITIGATION ========== Disable any users (RBAC subjects) which have been configured with the vm-admin, vm-power-admin or pool-operator role. RESOLUTION ========== Fixes can be found in the following pull requests: https://github.com/xapi-project/xen-api/pull/7031 https://github.com/xapi-project/xen-api/pull/7032 https://github.com/xapi-project/xen-api/pull/7033 https://github.com/xapi-project/xen-api/pull/7039 NOTE REGARDING LACK OF EMBARGO ============================== These issues were disclosed in public. The researcher claimed 89 vulnerabilities. Analysis by the XAPI team concluded that only 5 were real vulnerabilities, with most being a failure to read the RBAC documentation, and several appearing to be AI hallucinations. The researcher also took active steps to prevent coordinated disclosure. Due to acting in bad faith, they are explicitly not credited. -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmnw9tkMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZgLUIAMgzABaje/RPPO7lwrp1ERZQhtqy/SPG2dYxE75a M6bytAbpj4Y9lgh8IB4QLXDSEfSgjWKxzSGcUi3DpvJI3uiQmSqvAE5XnfRfVHT/ h1eo0vQ3v8yz5++iiOl2Cq9Qvg9cvMFEXYz8X21+u63KlpOnXjUZ7VpYeRdrbCYs n6Id6QU4D/y+3EZne5Xs0JY6Dn8J8SM3ejNjP6OmMFJMoKgSf1nXarQhNcmgvR0G a+PRjUWgHAHqfdzjJsyBZLyNwPAQgUM2aDfPqGh8vr9YlE6sWwlxYEeSIGsWzAHu oE5iWmYq5O4FUTgf+1ye8PUNbGyzDsJCeGfWeAXvGobQ6aQ= =OEJh -----END PGP SIGNATURE-----