An issue has been identified in the XenServer management API SDK that may allow an attacker on the management network who is able to intercept specific HTTPS requests within a higher-level operation to be able to act with the privileges of the intercepted administrator. This issue affects the XenCenter management agent together with third-party PowerShell and C# SDK clients.
This issue has the following identifier:
CVE-2026-42491
Affected Versions
This issue affects XenCenter versions before 2026.4.0 and, for PowerShell and C# clients only, SDK versions before 26.15.0. As the issue is in the client-side (XenCenter and SDK) code, it is independent of the version of XenServer that is in use.
Vulnerabilities have been discovered in the Citrix Secure Access Client for Windows and Citrix Endpoint Analysis Client. Refer to the information below for further details:
Affected Versions:
The following supported versions of Citrix Secure Access Client for Windows and Citrix Endpoint Analysis Client for Windows are affected by CVE-2026-53565:
Citrix Secure Access Client for Windows versions BEFORE 26.6.1.20
Citrix Endpoint Analysis Client for Windows versions BEFORE 26.5.1.7
The following supported versions of Citrix Secure Access Client for Windows are affected by CVE-2026-53566:
Citrix Secure Access Client for Windows versions BEFORE 26.6.1.20
Details
Citrix Secure Access Client for Windows and Citrix Endpoint Analysis Client for Windows contain the vulnerabilities mentioned below
CVE-ID
Description
Affected Products
Pre-conditions
CWE
CVSSv4
CVE-2026-53565
Local Privilege escalation allows a low-privileged user to gain SYSTEM privileges
Citrix Secure Access Client for Windows AND Citrix Endpoint Analysis Client for Windows
Standard user access on local system
CWE-269: Improper Privilege Management
CVSS v4.0 Base Score: 8.5(CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N)
CVE-2026-53566
Out-of-bounds memory read
Citrix Secure Access Client for Windows
Standard user access on local system and DNE driver is not installed
CWE-125: Out-of-bounds Read
CVSS v4.0 Base Score: 6.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
What Customers Should Do
Cloud Software Group strongly urges customers of Citrix Secure Access Client for Windows and Citrix Endpoint Analysis Client to install the relevant updated versions as soon as possible:
Citrix Secure Access Client for Windows 26.6.1.20 and later releases
Citrix Endpoint Analysis Client for Windows 26.5.1.7 and later releases
Steps to determine if an appliance meets the CVE preconditions