Unrated

XAPI RBAC privilege escalation via VM.other-config:is_system_domain

IdentifiersCVE-2026-23560CWE-269

CVE-2026-23560 is an XAPI RBAC authorization flaw covered by Xen Security Advisory XSA-489. A user assigned the lower-privileged vm-admin role can set the VM.other-config:is_system_domain field and mark an arbitrary VM as a system domain, even though this capability should be restricted to more privileged administration contexts. According to the advisory, system domains may be ignored and left running during certain host or pool operations and may also be hidden from view in management tooling. The issue stems from inadequate restriction of security-sensitive XAPI settings, allowing a lower-privileged administrator to perform an action outside the intended limits of their RBAC role.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a vm-admin user to exceed the intended boundaries of the assigned RBAC role by causing an attacker-controlled VM to be treated as a system domain. Because system domains may be excluded from certain host or pool lifecycle operations and may be less visible in tooling, this can provide persistence across administrative operations, reduce operator visibility, and contribute to privilege escalation beyond vm-admin. The broader XSA-489 advisory states that the first three RBAC issues, including this one, may allow vm-admin users to escalate to root privileges in the control domain under affected configurations.

Mitigation

If you can’t patch tonight, do this now.

Until patches are applied, disable RBAC subjects assigned lower-privileged administrator roles implicated by XSA-489, specifically vm-admin, vm-power-admin, and pool-operator, as recommended by the advisory. More generally, avoid assigning vm-admin in environments where RBAC is enabled unless the platform has been updated with the XSA-489 fixes, and review for VMs improperly marked with VM.other-config:is_system_domain.

Remediation

Patch, then assume compromise.

Apply the XAPI fixes referenced in XSA-489. The advisory states that fixes were merged and backported and are available in XAPI releases v26.12.0 and v26.1.11. Vendors downstream of XAPI should be updated to versions containing the XSA-489 fixes. For XCP-ng, the provided context states that supported users should upgrade to xen-4.17.6-6.2.xcpng8.3 or later, as applicable to the vendor packaging of these fixes.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app

runzero blogNews

Apr 30, 2026

XCP-ng vulnerabilities: How to find impacted assets

One of the confirmed XAPI RBAC escalation vulnerabilities; among the first three flaws that may allow vm-admin users to escalate to root privileges in the control domain under specific Active Directory and RBAC configurations.

runzero blogNews

Sep 25, 2024

Citrix Hypervisor vulnerabilities: How to find affected assets

One of five actionable XAPI RBAC escalation vulnerabilities confirmed in XSA-489; one of the first three that may allow host administrators to exceed their assigned RBAC permissions.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity6