{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33898", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-24T15:41:47.490Z", "datePublished": "2026-03-26T23:25:45.249Z", "dateUpdated": "2026-03-30T11:48:28.483Z"}, "containers": {"cna": {"title": "Local Incus UI web server vulnerable to nuthentication bypass", "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "lang": "en", "description": "CWE-287: Improper Authentication", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/lxc/incus/security/advisories/GHSA-453r-g2pg-cxxq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/lxc/incus/security/advisories/GHSA-453r-g2pg-cxxq"}], "affected": [{"vendor": "lxc", "product": "incus", "versions": [{"version": "< 6.23.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T23:25:45.249Z"}, "descriptions": [{"lang": "en", "value": "Incus is a system container and virtual machine manager. Prior to version 6.23.0, the web server spawned by `incus webui` incorrectly validates the authentication token such that an invalid value will be accepted. `incus webui` runs a local web server on a random localhost port. For authentication, it provides the user with a URL containing an authentication token. When accessed with that token, Incus creates a cookie persisting that token without needing to include it in subsequent HTTP requests. While the Incus client correctly validates the value of the cookie, it does not correctly validate the token when passed int the URL.\nThis allows for an attacker able to locate and talk to the temporary web server on localhost to have as much access to Incus as the user who ran `incus webui`. This can lead to privilege escalation by another local user or an access to the user's Incus instances and possibly system resources by a remote attack able to trick the local user into interacting with the Incus UI web server. Version 6.23.0 patches the issue."}], "source": {"advisory": "GHSA-453r-g2pg-cxxq", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T11:48:05.576413Z", "id": "CVE-2026-33898", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T11:48:28.483Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33898", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-30T11:48:05.576413Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T11:48:24.512Z"}}], "cna": {"title": "Local Incus UI web server vulnerable to nuthentication bypass", "source": {"advisory": "GHSA-453r-g2pg-cxxq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "lxc", "product": "incus", "versions": [{"status": "affected", "version": "< 6.23.0"}]}], "references": [{"url": "https://github.com/lxc/incus/security/advisories/GHSA-453r-g2pg-cxxq", "name": "https://github.com/lxc/incus/security/advisories/GHSA-453r-g2pg-cxxq", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Incus is a system container and virtual machine manager. Prior to version 6.23.0, the web server spawned by `incus webui` incorrectly validates the authentication token such that an invalid value will be accepted. `incus webui` runs a local web server on a random localhost port. For authentication, it provides the user with a URL containing an authentication token. When accessed with that token, Incus creates a cookie persisting that token without needing to include it in subsequent HTTP requests. While the Incus client correctly validates the value of the cookie, it does not correctly validate the token when passed int the URL.\nThis allows for an attacker able to locate and talk to the temporary web server on localhost to have as much access to Incus as the user who ran `incus webui`. This can lead to privilege escalation by another local user or an access to the user's Incus instances and possibly system resources by a remote attack able to trick the local user into interacting with the Incus UI web server. Version 6.23.0 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "CWE-287: Improper Authentication"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T23:25:45.249Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33898", "state": "PUBLISHED", "dateUpdated": "2026-03-30T11:48:28.483Z", "dateReserved": "2026-03-24T15:41:47.490Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T23:25:45.249Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Incus is a system container and virtual machine manager. Prior to version 6.23.0, the web server spawned by `incus webui` incorrectly validates the authentication token such that an invalid value will be accepted. `incus webui` runs a local web server on a random localhost port. For authentication, it provides the user with a URL containing an authentication token. When accessed with that token, Incus creates a cookie persisting that token without needing to include it in subsequent HTTP requests. While the Incus client correctly validates the value of the cookie, it does not correctly validate the token when passed int the URL.\nThis allows for an attacker able to locate and talk to the temporary web server on localhost to have as much access to Incus as the user who ran `incus webui`. This can lead to privilege escalation by another local user or an access to the user's Incus instances and possibly system resources by a remote attack able to trick the local user into interacting with the Incus UI web server. Version 6.23.0 patches the issue."}, {"lang": "es", "value": "Incus es un gestor de contenedores de sistema y m\u00e1quinas virtuales. Antes de la versi\u00f3n 6.23.0, el servidor web generado por `incus webui` valida incorrectamente el token de autenticaci\u00f3n de tal manera que se acepta un valor no v\u00e1lido. `incus webui` ejecuta un servidor web local en un puerto localhost aleatorio. Para la autenticaci\u00f3n, proporciona al usuario una URL que contiene un token de autenticaci\u00f3n. Cuando se accede con ese token, Incus crea una cookie que persiste ese token sin necesidad de incluirlo en solicitudes HTTP posteriores. Si bien el cliente Incus valida correctamente el valor de la cookie, no valida correctamente el token cuando se pasa en la URL.\nEsto permite que un atacante capaz de localizar y comunicarse con el servidor web temporal en localhost tenga tanto acceso a Incus como el usuario que ejecut\u00f3 `incus webui`. Esto puede conducir a una escalada de privilegios por parte de otro usuario local o a un acceso a las instancias de Incus del usuario y posiblemente a los recursos del sistema por parte de un ataque remoto capaz de enga\u00f1ar al usuario local para que interact\u00fae con el servidor web de la interfaz de usuario de Incus. La versi\u00f3n 6.23.0 corrige el problema."}], "id": "CVE-2026-33898", "lastModified": "2026-03-30T13:26:29.793", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T00:16:23.333", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/lxc/incus/security/advisories/GHSA-453r-g2pg-cxxq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "incus: Incus: Privilege escalation and unauthorized access due to improper authentication token validation in web UI", "id": "2452051", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452051"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.2", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-303", "details": ["A flaw was found in Incus, a system container and virtual machine manager. The `incus webui` component incorrectly validates authentication tokens when they are passed in the URL. This vulnerability allows a local attacker, or a remote attacker who can trick a local user into interacting with the Incus UI web server, to gain unauthorized access. Successful exploitation could lead to privilege escalation or unauthorized access to Incus instances and potentially system resources."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, avoid running the `incus webui` command if the web interface functionality is not required. The `incus webui` component spawns a local web server, and refraining from its use eliminates the attack vector. If `incus webui` must be used, ensure that only trusted users have access to the system where it is run and exercise caution with any remote interactions that might trick a local user into accessing the Incus UI web server."}, "name": "CVE-2026-33898", "public_date": "2026-03-26T23:25:45Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33898\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33898\nhttps://github.com/lxc/incus/security/advisories/GHSA-453r-g2pg-cxxq"], "statement": "Important: This flaw in the `incus webui` component allows for privilege escalation and unauthorized access. The vulnerability arises from improper authentication token validation when tokens are passed in the URL, enabling a local attacker or a remote attacker (via user interaction) to gain access to Incus instances and potentially system resources. Exploitation requires the `incus webui` server to be running and accessible.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.23.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "incus", "source": "cna", "vendor": "lxc"}, "product": "incus", "vendor": "lxc"}], "analysis": {"en": {"generated_at": "2026-03-27T13:23:41.672038+00:00", "value": {"mitigation_remediation": ["Upgrade LXC Incus to version 6.23.0 or newer.", "Restrict execution of `incus webui` to trusted users and consider disabling or removing it if not needed.", "Ensure that the system\u2019s local firewall or network controls prevent non\u2011trusted processes from issuing requests to the localhost port where the web UI runs.", "If an upgrade is not feasible, avoid using `incus webui` and monitor local processes for unauthorized connections to new temporary ports."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation via Authentication Bypass"}, "threat_synthesis": {"affected_systems": "The affected product is LXC Incus, all releases prior to version 6.23.0. Users running the web UI (via `incus webui`) on these versions are susceptible; the exploit requires local access to the randomly assigned, local\u2011only port where the web server listens.", "description_and_impact": "The vulnerability arises from improper validation of the authentication token issued by Incus\u2019s local web server. A malformed or invalid token is accepted, allowing the server to set a cookie that grants full access to the Incus instance without re\u2011authentication. Once an attacker, local or remotely luring a user, obtains the token and connects to the temporary localhost web server, they can control the user\u2019s Incus instances or leverage system resources, effectively elevating their privileges. The weakness aligns with CWE-287 and CWE-303, reflecting authentication and authorization failures.", "risk_and_exploitability": "The CVSS score of 8.8 indicates high severity with a potential for privilege escalation. The EPSS score is not available, but the lack of a CISA KEV listing suggests no publicly known exploit yet. The attack vector is local, as the web server binds only to localhost, but a remote attacker could trick a privileged user into interacting with it. Exploitation requires that the attacker can reach the temporary localhost port or trick the user into visiting the URL containing the token."}}}}, "created": "2026-03-27T08:31:25.828405+00:00", "updated": "2026-03-27T15:47:19.766530+00:00", "vendors": ["lxc", "lxc$PRODUCT$incus"]}