CVE-2026-23562
Xen · XAPI
Xen XAPI fails to perform necessary authorization checks for PCI passthrough configuration, allowing lower-privileged administrators to access unintended host hardware.
Executive summary
A vulnerability in the Xen XAPI management interface allows unauthorized users with vm-admin privileges to configure host-level PCI passthrough, resulting in a critical security risk.
Vulnerability
This vulnerability is a privilege escalation and access control flaw where the XAPI management interface neglects to verify the role of a user requesting PCI passthrough configuration. While normally restricted to the pool-admin role, a user with vm-admin privileges can bypass this check to gain unauthorized access to host hardware.
Business impact
Successful exploitation allows a vm-admin to manipulate host-level hardware configurations, potentially leading to unauthorized resource access or system instability. Given the critical CVSS score of 9.4, this vulnerability represents a significant threat to virtualized infrastructure integrity and cross-VM isolation, potentially facilitating further lateral movement within the management plane.
Remediation
Immediate Action: Update Xen XAPI to the latest version as specified in the vendor security advisory (XSA-489).
Proactive Monitoring: Review XAPI management logs for unexpected configuration changes or unauthorized attempts to access PCI passthrough settings by non-admin roles.
Compensating Controls: Restrict access to the XAPI management interface to trusted administrative networks and ensure that only authorized personnel hold elevated administrative roles.
Exploitation status
Public Exploit Available: False
Analyst recommendation
The severity of this flaw necessitates immediate attention to prevent unauthorized hardware control. Administrators must apply the vendor-provided security patches immediately to enforce proper Role Based Access Control (RBAC) and mitigate the risk of host hardware compromise.