Skip to main content

XAPI SDK CVE-2026-42491

CRITICAL
2026-07-14
Share

Severity by source

vuln.today AI
7.4 HIGH

Network MitM required (AV:N, AC:H); no privileges needed on target; high confidentiality and integrity impact via session hijack and data tampering; no availability impact described.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Lifecycle Timeline

2
Analysis Generated
Jul 14, 2026 - 16:16 vuln.today
CVE Published
Jul 14, 2026 - 16:14 oss-security
CRITICAL

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Missing TLS certificate validation in the XAPI C# and PowerShell SDK bindings - specifically on secondary HTTP handler connections used for disk image transfers, host backups, RRD data, and patch delivery - allows a network-positioned attacker to intercept communications between third-party management tools and Xen hypervisor hosts. Successful Man-in-the-Middle exploitation can yield stolen administrative session tokens, enabling full hypervisor session hijack, or permit tampering with critical data such as imported disk images and host update packages in transit. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain MitM position on management network segment
Delivery
Intercept secondary HTTP handler connection from XAPI SDK client
Exploit
Present fraudulent TLS certificate (no validation enforced)
Execution
Decrypt and capture XAPI session token in transit
Persist
Replay token to XAPI host out-of-band
Impact
Hijack administrative session or tamper with disk images and patches in transit

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold a network Man-in-the-Middle position on the path between a program using the XAPI C# or PowerShell SDK and the XAPI host - for example, via ARP spoofing on the management VLAN or control of an intermediary network device. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No official CVSS score is provided for this CVE; the following assessment is independently derived. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with access to the management network segment - achieved via ARP spoofing, DNS poisoning, or a compromised network device - transparently proxies the secondary HTTP handler connection initiated by a third-party orchestration tool using the XAPI C# or PowerShell SDK. Because certificate validation is absent on this connection, the attacker presents a forged TLS certificate, decrypts the traffic, and extracts the XAPI session token in cleartext; that token is then reused out-of-band to issue arbitrary administrative commands against the hypervisor host. …
Remediation Apply the official patch xsa498.patch to the XAPI master branch (SHA-256: f2db9e16561edc59b920e0ed95cce3a19147abc6eb2b8500bd73b87dc285d4ba), referenced at https://seclists.org/oss-sec/2026/q3/142. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, audit network paths connecting management tools to Xen hosts and map the extent of credential and data exposure in transit; identify any air-gapped or fully encrypted communication channels currently in use. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-42491 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy