Vulnerabilities in XAPI break the hierarchy of rights.
In the XAPI project, several vulnerabilities were found at once that allow the average administrator to actually get full control of the server. The problem lies in setting up access rights, because of which the restrictions simply do not work as the developers intended.
The situation is around the mechanism of delimitation of access by role. In a normal situation, only a role with maximum rights can control the system completely and connect to the server with superuser rights. But in XAPI, some settings were available to administrators with a lower level of rights. As a result, a user with a vm-admin or similar rights can go beyond what is allowed and access critical functions.
In total, подтвердилиfive vulnerabilities with identifiers CVE-2026-23559, CVE-2026-2356, CVE-2026-2356, CVE-2026-23562 and CVE-2026-42486CVE-2026-42486 were confirmed. Through one of them, you can read and even change the files of the main host system, turning them into virtual disks and connecting them to your virtual machine. The other allows you to disguise the virtual machine as a system, which is why it does not stop when servicing and can disappear from control tools. There are also errors associated with access to the equipment and storage settings, as well as the ability to record arbitrary data in the host files.
Any of these loopholes allows you to increase privileges to the level of full administration. Vulnerabilities affect all versions of XAPI, but are manifested only in systems where access differentiation is included and roles with limited rights are assigned. The developers have already released fixes in XAPI updates and advise installing them as soon as possible. A temporary measure is the disabling of accounts with the roles of vm-admin, vm-power-admin and pool-operator.
The story of the disclosure of vulnerabilities turned out to be unusual. The man who reported the problems said about 89 errors, but the project team confirmed only five. The rest were either a misunderstanding or completely erroneous conclusions. Moreover, the author of the report tried to prevent the agreed disclosure, so his name is not mentioned in the final message.
In the XAPI project, several vulnerabilities were found at once that allow the average administrator to actually get full control of the server. The problem lies in setting up access rights, because of which the restrictions simply do not work as the developers intended.
The situation is around the mechanism of delimitation of access by role. In a normal situation, only a role with maximum rights can control the system completely and connect to the server with superuser rights. But in XAPI, some settings were available to administrators with a lower level of rights. As a result, a user with a vm-admin or similar rights can go beyond what is allowed and access critical functions.
In total, подтвердилиfive vulnerabilities with identifiers CVE-2026-23559, CVE-2026-2356, CVE-2026-2356, CVE-2026-23562 and CVE-2026-42486CVE-2026-42486 were confirmed. Through one of them, you can read and even change the files of the main host system, turning them into virtual disks and connecting them to your virtual machine. The other allows you to disguise the virtual machine as a system, which is why it does not stop when servicing and can disappear from control tools. There are also errors associated with access to the equipment and storage settings, as well as the ability to record arbitrary data in the host files.
Any of these loopholes allows you to increase privileges to the level of full administration. Vulnerabilities affect all versions of XAPI, but are manifested only in systems where access differentiation is included and roles with limited rights are assigned. The developers have already released fixes in XAPI updates and advise installing them as soon as possible. A temporary measure is the disabling of accounts with the roles of vm-admin, vm-power-admin and pool-operator.
The story of the disclosure of vulnerabilities turned out to be unusual. The man who reported the problems said about 89 errors, but the project team confirmed only five. The rest were either a misunderstanding or completely erroneous conclusions. Moreover, the author of the report tried to prevent the agreed disclosure, so his name is not mentioned in the final message.
