{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "cveMetadata": {
    "cveId": "MOKSHA-2026-0043",
    "assignerOrgId": "moksha.dk",
    "x_moksha_note": "Self-issued advisory. MOKSHA-2026-NNNN is not a MITRE CVE ID. Schema follows CVE JSON 5.1 for tooling compatibility. CVE ID will be added to alternateIds when assigned by MITRE or another CNA.",
    "state": "PUBLISHED",
    "datePublished": "2026-04-24T06:00:00Z"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "moksha.dk",
        "shortName": "Moksha",
        "dateUpdated": "2026-04-24T06:00:00Z"
      },
      "title": "PBD Synchronization Bypass via Pool.other_config sync_create_pbds",
      "descriptions": [
        {
          "lang": "en",
          "value": "A pool-operator in XAPI-based hypervisors (XenServer, XCP-ng) can disable automatic PBD creation for shared storage repositories by setting sync_create_pbds to nosync in Pool.other_config. The create_storage.ml module checks this value during host boot and skips PBD creation when set, causing shared storage to remain disconnected after reboot. VMs depending on shared storage cannot start. The disruption persists across reboots until the key is manually removed."
        }
      ],
      "metrics": [
        {
          "format": "CVSS",
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM"
          }
        },
        {
          "format": "CVSS",
          "cvssV4_0": {
            "version": "4.0",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:L/SC:N/SI:L/SA:N",
            "baseScore": 7.0,
            "baseSeverity": "HIGH"
          }
        }
      ],
      "affected": [
        {
          "vendor": "Cloud Software Group",
          "product": "XenServer",
          "versions": [
            { "status": "affected", "version": "all", "versionType": "custom" }
          ]
        },
        {
          "vendor": "Vates",
          "product": "XCP-ng",
          "versions": [
            { "status": "affected", "version": "all", "versionType": "custom" }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "Missing Authorization",
              "cweId": "CWE-862",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "Improper Input Validation",
              "cweId": "CWE-20",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        { "url": "https://cna.moksha.dk/MOKSHA-2026-0043" }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Jakob Wolffhechel, Moksha"
        }
      ]
    }
  }
}