CVE-2026-23562

Xen · XAPI

Xen XAPI fails to perform necessary authorization checks for PCI passthrough configuration, allowing lower-privileged administrators to access unintended host hardware.

Executive summary

A vulnerability in the Xen XAPI management interface allows unauthorized users with vm-admin privileges to configure host-level PCI passthrough, resulting in a critical security risk.

Vulnerability

This vulnerability is a privilege escalation and access control flaw where the XAPI management interface neglects to verify the role of a user requesting PCI passthrough configuration. While normally restricted to the pool-admin role, a user with vm-admin privileges can bypass this check to gain unauthorized access to host hardware.

Business impact

Successful exploitation allows a vm-admin to manipulate host-level hardware configurations, potentially leading to unauthorized resource access or system instability. Given the critical CVSS score of 9.4, this vulnerability represents a significant threat to virtualized infrastructure integrity and cross-VM isolation, potentially facilitating further lateral movement within the management plane.

Remediation

Immediate Action: Update Xen XAPI to the latest version as specified in the vendor security advisory (XSA-489).

Proactive Monitoring: Review XAPI management logs for unexpected configuration changes or unauthorized attempts to access PCI passthrough settings by non-admin roles.

Compensating Controls: Restrict access to the XAPI management interface to trusted administrative networks and ensure that only authorized personnel hold elevated administrative roles.

Exploitation status

Public Exploit Available: False

Analyst recommendation

The severity of this flaw necessitates immediate attention to prevent unauthorized hardware control. Administrators must apply the vendor-provided security patches immediately to enforce proper Role Based Access Control (RBAC) and mitigate the risk of host hardware compromise.