Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
Unrated

XAPI RBAC privilege escalation via VBD.other_config:backend-local

IdentifiersCVE-2026-23559CWE-284

CVE-2026-23559 is an XAPI RBAC authorization flaw tracked in Xen Security Advisory XSA-489. A user assigned the vm-admin role can set the VBD.other_config:backend-local parameter, even though this capability should be restricted to a more privileged role. By setting this field, the attacker can cause arbitrary files in dom0 to be treated as VDIs and then attach those disks to a VM they control. This breaks the intended RBAC boundary and enables direct access from the attacker-controlled VM to arbitrary dom0 files. Upstream remediation removed handling of VBD.other_config:backend-local entirely, indicating the feature was no longer considered to have a valid use case.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a lower-privileged authenticated administrator, specifically a vm-admin in an RBAC-enabled XAPI environment, to exceed the limits of the assigned role and obtain arbitrary read and/or modification access to files in dom0. Because dom0 is the control domain, this can lead to effective privilege escalation toward root-level control of the host, compromise of host integrity, exposure of sensitive host data, and potential follow-on compromise of workloads managed by that host.

Mitigation

If you can’t patch tonight, do this now.

Until patched, disable RBAC subjects assigned the vm-admin role; broader advisory guidance also recommends disabling subjects assigned vm-admin, vm-power-admin, or pool-operator roles in affected RBAC-enabled pools. Limit assignment of non-fully-privileged administrative roles, especially in environments integrated with Active Directory, and restrict access to XAPI management interfaces to trusted administrators only.

Remediation

Patch, then assume compromise.

Apply the vendor and upstream fixes for XSA-489 / VSA-2026-011. The content states that fixes were merged and backported in XAPI and are available in releases v26.12.0 and v26.1.11. For XCP-ng, upgrade to xen-4.17.6-6.2.xcpng8.3 or later where applicable. The upstream code change specifically removed support for VBD.other_config:backend-local, which is the vulnerable mechanism.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity6

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-23559
NVD
nvd.nist.gov/vuln/detail/CVE-2026-23559
MITRE CWE · CWE-284
cwe.mitre.org