Unrated

XAPI PCI Passthrough RBAC Privilege Escalation

IdentifiersCVE-2026-23562CWE-862

CVE-2026-23562 is an RBAC authorization flaw in XAPI's PCI passthrough configuration handling, tracked in Xen Security Advisory XSA-489. PCI passthrough configuration is intended to be restricted to the pool-admin role, but one API path was missing the required pool-admin authorization check. As a result, a user with only the vm-admin role could invoke that API to configure PCI passthrough despite not having sufficient privileges. The issue is a privilege-boundary failure in XAPI's role enforcement rather than a memory-safety bug.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a lower-privileged authenticated administrator, specifically a vm-admin in an RBAC-enabled XAPI environment, to perform PCI passthrough configuration actions that should be limited to pool-admin. This can grant access to unintended host hardware and constitutes privilege escalation within the management plane. XSA-489 states that the affected RBAC issues can allow lower-privileged administrator roles to escalate to pool-admin-equivalent capabilities.

Mitigation

If you can’t patch tonight, do this now.

Until patches are applied, disable RBAC subjects assigned lower-privileged administrator roles implicated by XSA-489, particularly vm-admin, and more broadly vm-power-admin or pool-operator where applicable. Limit assignment of non-full administrator roles in RBAC-enabled pools and restrict access to XAPI management interfaces to trusted administrators only.

Remediation

Patch, then assume compromise.

Apply the XAPI fixes referenced by XSA-489. The advisory states that fixes were merged and backported and are available in XAPI releases v26.12.0 and v26.1.11. Upgrade to a fixed XAPI release or the corresponding vendor-provided patched platform build that incorporates the XSA-489 remediation.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app

runzero blogNews

Apr 30, 2026

XCP-ng vulnerabilities: How to find impacted assets

One of the confirmed actionable XAPI RBAC escalation vulnerabilities discussed in XSA-489/VSA-2026-011.

runzero blogNews

Sep 25, 2024

Citrix Hypervisor vulnerabilities: How to find affected assets

One of five actionable XAPI RBAC escalation vulnerabilities confirmed in XSA-489.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity5