VSA-2026-011: Multiple XAPI potential Vulnerabilities
| Published | Updated | Severity | CVSS 4.0 | Affected products |
|---|---|---|---|---|
| 2026-04-28 | 2026-04-28 | 🟢 Low | Not available yet | - XCP-ng 8.3 |
Multiple vulnerabilities and their associated CVEs were published by the Xen project. For Vates products, we classify the impact as Low, as our LTS products in a standard use case are not directly impacted. For details on how we assign severity levels, see our Severity Levels Explained page.
Summary​
The Xen project recently disclosed multiple vulnerabilities affecting various versions of XAPI. These vulnerabilities could potentially allow for privilege escalation, in specific use cases.
Impact​
These vulnerabilities are related to a feature not used in Vates VMS: XAPI’s advanced RBAC roles feature. This feature is not enabled or exposed by default in Xen Orchestra, XO Lite, or any of our standard documentation.
The points about Active Directory in this advisory are about XCP-ng user management and NOT related to Xen Orchestra user management and Active Directory, these are not impacted.
Only users with a specific setup may be impacted:
- XCP-ng pool connected to Active Directory for its user management
- Such Active Directory managed user is given VM configuration rights (vm-admin XAPI role)
In such a case, a user could gain elevated host-level privileges beyond what was intended.
Affected Versions​
- XCP-ng 8.3 LTS: Affected.
Mitigation​
Disable Active Directory accounts on pools, again on XCP-ng side, not related to using Active Directory for Xen Orchestra.
Resolution​
As of 2026-04-28, the XAPI packages have been updated in the official XCP-ng repositories. Users are strongly encouraged to update their systems as soon as possible.
List of packages fixing these issues:
- XCP-ng 8.3:
xapi-26.1.3-1.9.xcpng8.3
Credits​
Thanks to Xen Project and the XAPI team for their work on these vulnerabilities and the patches to fix them.