← Advisory Index « MOKSHA-2026-0022 MOKSHA-2026-0024 »

MOKSHA-2026-0023: Guest Agent Script Execution Enablement via Pool.other_config

Advisory ID	MOKSHA-2026-0023
GCVE ID	GCVE-117-2026-0023
Semantic ID	PLOC-3
Published	2026-04-24
CVSS 3.1	7.2 High
CVSS 3.1 Vector	`AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N`
CVSS 4.0	8.2 High
CVSS 4.0 Vector	`AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H`
XAPI Object	`Pool`
XAPI Field	`other_config:allow_guest_agent_run_script`
Entry Role	pool-operator
Researcher	Jakob Wolffhechel, Moksha

Affected Products

Vendor	Product	Versions
Citrix / Cloud Software Group	XenServer / Citrix Hypervisor	all versions (shared XAPI codebase)
Vates	XCP-ng	8.3.0

Summary

A pool-operator can enable the guest agent run-script security gate by setting Pool.other_config:allow_guest_agent_run_script to "true". This key controls the guest-agent-operation plugin's run-script capability pool-wide at helpers.ml:1398-1405. Once enabled, any vm-admin+ caller can pass the FEATURE_RESTRICTED gate and reach xenopsd's script execution path. Live gate bypass proven: without key returns FEATURE_RESTRICTED, with key returns NOT_IMPLEMENTED (gate passed). Full guest command execution requires a VM with guest agent tools installed (modeled, not live-tested).

Vulnerability Description

Pool.other_config is a Map(String, String) field writable by pool-operator. The allow_guest_agent_run_script key is checked at helpers.ml:1398-1405. When set to "true", the guest agent operation plugin's script execution capability is enabled for every VM in the pool that has the guest agent installed.

The code path:

pool-operator calls Pool.add_to_other_config(pool, "allow_guest_agent_run_script", "true")
helpers.ml:1398-1405 checks this key value
When "true", the guest agent's run-script operation is permitted
Any vm-admin+ caller can then invoke VM.call_plugin(guest-agent-operation, run-script) — the FEATURE_RESTRICTED gate opens
If the target VM has guest agent tools, scripts execute with the privileges of the guest agent process (modeled; gate bypass confirmed live)

Pool.other_config is the highest-scope other_config field in the XAPI data model - a single key write affects behavior across every host and VM in the pool.

Root Causes

Missing RBAC protection. Pool.other_config has zero map_keys_roles entries for the allow_guest_agent_run_script key. Any pool-operator can enable it.
Missing validation. No confirmation prompt, no audit trail, no time-bounded enablement. The flag stays set until explicitly removed.
Scope mismatch. A host-level administrative action (pool-operator) enables guest-level code execution - a cross-boundary privilege escalation that should require explicit pool-admin authorization.
Insufficient logging. No security alert is generated when this pool-wide execution capability is enabled.

Affected Systems

Directly Affected

XenServer / Citrix Hypervisor - all versions (shared XAPI codebase)
XCP-ng 8.3 - confirmed (source trace)

Indirectly Affected

All guest VMs with guest agent installed - become targets for script execution
Multi-tenant environments - tenant VMs can be targeted by compromised pool-operators

Exploitation Scenarios

Scenario	Impact	Pre-conditions	Status
Security gate bypass	Pool key enables run-script feature; without key: FEATURE_RESTRICTED, with key: gate passes to xenopsd	pool-operator credential	Confirmed (live gate bypass)
Cross-tenant command execution	Execute commands in tenant VMs in multi-tenant deployments	pool-operator, multiple tenants	Modeled
Persistent backdoor	Install persistent access in guest VMs via script execution	pool-operator, writable guest filesystem	Modeled
Via BOC-1 chain	vm-admin escalates to pool-operator via BOC-1 S3, then enables guest agent script execution	BOC-1 available	Modeled (chained)

Detection

Monitor Pool.other_config for the allow_guest_agent_run_script key
Alert on any write to this key - legitimate use cases are rare
Audit guest agent logs inside VMs for unexpected script execution events
See rule P-03 in disclosure/vendor-detection-guidance.md

Remediation

Short-Term Mitigations

Audit Pool.other_config for the allow_guest_agent_run_script key and remove if present
Monitor guest agent activity logs inside VMs
Restrict pool-operator role grants

Long-Term Fix

Restrict to pool-admin. Protect allow_guest_agent_run_script via map_keys_roles at _R_POOL_ADMIN.

Add confirmation and audit. Require explicit confirmation when enabling guest agent script execution. Log the enablement as a security-relevant event.

Time-bounded enablement. Implement an automatic expiry for this flag rather than leaving it permanently enabled.

Upstream patches exist. They are retained privately by the researcher.

Disclosure

Disclosure:

Public release: 2026-04-24 08:00 CEST
CERT/CC notified: 2026-04-23 (closed same day)
MITRE CVE reservation filed: 2026-04-09 (no response as of publication)
GCVE/CIRCL: notified 2026-04-18; Moksha approved as GNA #117 on 2026-04-28
DIVD: notified 2026-04-18; responded 2026-04-28
ENISA: notified 2026-04-18 (no response as of 2026-04-29)
Vendor (Cloud Software Group / Citrix): not contacted pre-publication
Downstream maintainer (Vates/XCP-ng): contacted 2026-04-23 with conditional patch offer (no response as of 2026-05-11)
Vendor patch (partial): XSA-489 (2026-05-06, 5 of 89 findings)
Downstream advisory: VATES-SA-2026-011

References

Related MOKSHA IDs: MOKSHA-2026-0001 (BOC-1 RBAC collapse enables vm-admin to reach this vector)
XAPI source: helpers.ml:1398-1405 (key check), datamodel.ml (Pool field definition)
Thematic advisory: disclosure/advisories/ploc-security-advisory.md (PLOC-3)
Investigation: research/investigations/pool-other-config.md

Credits

Discovered and reported by Jakob Wolffhechel, Moksha.

Machine-readable: MOKSHA-2026-0023.json (CVE JSON 5.1 schema)

← Advisory Index « MOKSHA-2026-0022 MOKSHA-2026-0024 »

Jakob Wolffhechel · Moksha · Copenhagen
jakob@wolffhechel.dk · +45 3170 7337
Published 2026-04-24 08:00 CEST · cna.moksha.dk