Unrated

XAPI RBAC privilege boundary flaw in storage_driver_domain handling

IdentifiersCVE-2026-23561CWE-863

In XAPI, a user with the vm-admin role can set the VM.other_config:storage_driver_domain field and mark a VM as the storage domain for a particular host storage connection (PBD). According to Xen Security Advisory XSA-489, this setting is insufficiently restricted and should not be writable by this lower-privileged administrative role. If the attacker-controlled VM is then shut down, the associated PBD can be erroneously marked as unplugged even though it is not. This is one of the RBAC-related XAPI vulnerabilities confirmed in XSA-489 and affects XAPI deployments where RBAC is enabled and non-fully-privileged administrator roles are assigned.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a vm-admin user to exceed the intended limits of their assigned RBAC role by manipulating storage-domain state for a host storage connection. The documented effect is that a PBD may be incorrectly marked as unplugged, which can disrupt storage management state and contributes to privilege-boundary bypass within XAPI. The broader advisory states that the first three RBAC issues, including CVE-2026-23561, may allow lower-privileged administrators to escalate beyond their assigned role, and in some vendor summaries potentially to root privileges in the control domain under limited configurations.

Mitigation

If you can’t patch tonight, do this now.

Until patched builds are deployed, disable RBAC subjects assigned the vm-admin, vm-power-admin, or pool-operator roles, as recommended in XSA-489. More generally, avoid assigning lower-privileged administrative RBAC roles in affected pools unless necessary, and restrict use of advanced RBAC configurations that expose these code paths.

Remediation

Patch, then assume compromise.

Apply the XAPI fixes referenced by Xen Security Advisory XSA-489. The advisory states that fixes have been merged and backported and are available in XAPI releases v26.12.0 and v26.1.11. Vendor guidance in the provided content also recommends upgrading supported XCP-ng deployments to xen-4.17.6-6.2.xcpng8.3 or later, and updating supported Citrix XenServer releases to the latest available fixed version.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app

runzero blogNews

Apr 30, 2026

XCP-ng vulnerabilities: How to find impacted assets

One of the confirmed XAPI RBAC escalation vulnerabilities; among the first three flaws that may allow vm-admin users to escalate to root privileges in the control domain under specific Active Directory and RBAC configurations.

runzero blogNews

Sep 25, 2024

Citrix Hypervisor vulnerabilities: How to find affected assets

One of five actionable XAPI RBAC escalation vulnerabilities confirmed in XSA-489; one of the first three that may allow host administrators to exceed their assigned RBAC permissions.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity5