← Advisory Index « MOKSHA-2026-0022 MOKSHA-2026-0024 »

MOKSHA-2026-0023: Guest Agent Script Execution Enablement via Pool.other_config

Advisory ID	MOKSHA-2026-0023
Semantic ID	PLOC-3
Published	2026-04-24
CVSS 3.1	7.2 High
CVSS 3.1 Vector	`AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N`
CVSS 4.0	8.2 High
CVSS 4.0 Vector	`AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H`
XAPI Object	`Pool`
XAPI Field	`other_config:allow_guest_agent_run_script`
Entry Role	pool-operator
Researcher	Jakob Wolffhechel, Moksha

Affected Products

Vendor	Product	Versions
Citrix / Cloud Software Group	XenServer / Citrix Hypervisor	all versions (shared XAPI codebase)
Vates	XCP-ng	8.3.0

Summary

A pool-operator can enable execution of arbitrary scripts within guest VMs by setting Pool.other_config:allow_guest_agent_run_script to "true". This key controls the guest-agent-operation plugin's run-script capability pool-wide. Once enabled, the pool-operator (or any attacker who has escalated to pool-operator) can execute commands inside any VM that has the guest agent installed. This is a privilege escalation from host-level management to guest-level code execution, crossing the host-guest trust boundary. With the BOC-1 chain, a vm-admin can reach this vector via RBAC collapse.

Vulnerability Description

Pool.other_config is a Map(String, String) field writable by pool-operator. The allow_guest_agent_run_script key is checked at helpers.ml:1398-1405. When set to "true", the guest agent operation plugin's script execution capability is enabled for every VM in the pool that has the guest agent installed.

The code path:

pool-operator calls Pool.add_to_other_config(pool, "allow_guest_agent_run_script", "true")
helpers.ml:1398-1405 checks this key value
When "true", the guest agent's run-script operation is permitted
The operator can then execute arbitrary scripts inside any guest VM via the guest agent API
Scripts execute with the privileges of the guest agent process inside the VM

Pool.other_config is the highest-scope other_config field in the XAPI data model - a single key write affects behavior across every host and VM in the pool.

Root Causes

Missing RBAC protection. Pool.other_config has zero map_keys_roles entries for the allow_guest_agent_run_script key. Any pool-operator can enable it.
Missing validation. No confirmation prompt, no audit trail, no time-bounded enablement. The flag stays set until explicitly removed.
Scope mismatch. A host-level administrative action (pool-operator) enables guest-level code execution - a cross-boundary privilege escalation that should require explicit pool-admin authorization.
Insufficient logging. No security alert is generated when this pool-wide execution capability is enabled.

Affected Systems

Directly Affected

XenServer / Citrix Hypervisor - all versions (shared XAPI codebase)
XCP-ng 8.3 - confirmed (source trace)

Indirectly Affected

All guest VMs with guest agent installed - become targets for script execution
Multi-tenant environments - tenant VMs can be targeted by compromised pool-operators

Exploitation Scenarios

Scenario	Impact	Pre-conditions	Status
Host-to-guest code execution	Execute arbitrary scripts inside any VM with guest agent	pool-operator credential, guest agent installed	Source-traced
Cross-tenant command execution	Execute commands in tenant VMs in multi-tenant deployments	pool-operator, multiple tenants	Modeled
Persistent backdoor	Install persistent access in guest VMs via script execution	pool-operator, writable guest filesystem	Modeled
Via BOC-1 chain	vm-admin escalates to pool-operator via BOC-1 S3, then enables guest agent script execution	BOC-1 available	Modeled (chained)

Detection

Monitor Pool.other_config for the allow_guest_agent_run_script key
Alert on any write to this key - legitimate use cases are rare
Audit guest agent logs inside VMs for unexpected script execution events
See rule P-03 in disclosure/vendor-detection-guidance.md

Remediation

Short-Term Mitigations

Audit Pool.other_config for the allow_guest_agent_run_script key and remove if present
Monitor guest agent activity logs inside VMs
Restrict pool-operator role grants

Long-Term Fix

Restrict to pool-admin. Protect allow_guest_agent_run_script via map_keys_roles at _R_POOL_ADMIN.

Add confirmation and audit. Require explicit confirmation when enabling guest agent script execution. Log the enablement as a security-relevant event.

Time-bounded enablement. Implement an automatic expiry for this flag rather than leaving it permanently enabled.

Upstream patches exist. They are held privately pending coordinated disclosure.

Disclosure

Disclosure:

Public release: 2026-04-24 08:00 CEST
CERT/CC notified: 2026-04-23
MITRE CVE reservation filed: 2026-04-09 (no response as of publication)
EU CVE registers notified: 2026-04-18 (GCVE/CIRCL, ENISA, DIVD - no response)
Vendor (Cloud Software Group / Citrix): not contacted pre-publication
Downstream maintainer (Vates/XCP-ng): contacted 2026-04-23 with conditional patch offer

References

Related MOKSHA IDs: MOKSHA-2026-0001 (BOC-1 RBAC collapse enables vm-admin to reach this vector)
XAPI source: helpers.ml:1398-1405 (key check), datamodel.ml (Pool field definition)
Thematic advisory: disclosure/advisories/ploc-security-advisory.md (PLOC-3)
Investigation: research/investigations/pool-other-config.md

Credits

Discovered and reported by Jakob Wolffhechel, Moksha.

Machine-readable: MOKSHA-2026-0023.json (CVE JSON 5.1 schema)

← Advisory Index « MOKSHA-2026-0022 MOKSHA-2026-0024 »

Jakob Wolffhechel · Moksha · Copenhagen
jakob@wolffhechel.dk · +45 3170 7337
Published 2026-04-24 08:00 CEST · cna.moksha.dk · shittrix.moksha.dk