{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33898", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-24T15:41:47.490Z", "datePublished": "2026-03-26T23:25:45.249Z", "dateUpdated": "2026-03-26T23:25:45.249Z"}, "containers": {"cna": {"title": "Local Incus UI web server vulnerable to nuthentication bypass", "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "lang": "en", "description": "CWE-287: Improper Authentication", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/lxc/incus/security/advisories/GHSA-453r-g2pg-cxxq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/lxc/incus/security/advisories/GHSA-453r-g2pg-cxxq"}], "affected": [{"vendor": "lxc", "product": "incus", "versions": [{"version": "< 6.23.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T23:25:45.249Z"}, "descriptions": [{"lang": "en", "value": "Incus is a system container and virtual machine manager. Prior to version 6.23.0, the web server spawned by `incus webui` incorrectly validates the authentication token such that an invalid value will be accepted. `incus webui` runs a local web server on a random localhost port. For authentication, it provides the user with a URL containing an authentication token. When accessed with that token, Incus creates a cookie persisting that token without needing to include it in subsequent HTTP requests. While the Incus client correctly validates the value of the cookie, it does not correctly validate the token when passed int the URL.\nThis allows for an attacker able to locate and talk to the temporary web server on localhost to have as much access to Incus as the user who ran `incus webui`. This can lead to privilege escalation by another local user or an access to the user's Incus instances and possibly system resources by a remote attack able to trick the local user into interacting with the Incus UI web server. Version 6.23.0 patches the issue."}], "source": {"advisory": "GHSA-453r-g2pg-cxxq", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Incus is a system container and virtual machine manager. Prior to version 6.23.0, the web server spawned by `incus webui` incorrectly validates the authentication token such that an invalid value will be accepted. `incus webui` runs a local web server on a random localhost port. For authentication, it provides the user with a URL containing an authentication token. When accessed with that token, Incus creates a cookie persisting that token without needing to include it in subsequent HTTP requests. While the Incus client correctly validates the value of the cookie, it does not correctly validate the token when passed int the URL.\nThis allows for an attacker able to locate and talk to the temporary web server on localhost to have as much access to Incus as the user who ran `incus webui`. This can lead to privilege escalation by another local user or an access to the user's Incus instances and possibly system resources by a remote attack able to trick the local user into interacting with the Incus UI web server. Version 6.23.0 patches the issue."}], "id": "CVE-2026-33898", "lastModified": "2026-03-27T00:16:23.333", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T00:16:23.333", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/lxc/incus/security/advisories/GHSA-453r-g2pg-cxxq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.23.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "incus", "source": "cna", "vendor": "lxc"}, "product": "incus", "vendor": "lxc"}], "analysis": {"en": {"generated_at": "2026-03-27T07:06:20.063568+00:00", "value": {"mitigation_remediation": ["Upgrade to Incus 6.23.0 or later to correct the token validation logic", "If an immediate update is not possible, avoid launching incus webui until the patch is applied", "Restrict local traffic to the random port used by incus webui or disable the web UI entirely until a fix is available"], "summary": {"action": "Patch Immediately", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "Incus, the LXC container and virtual machine manager, is affected in all releases prior to version 6.23.0. The vulnerability resides in the web server component initiated by the incus webui command and exposes a random localhost port for clients. Any deployment that uses the web UI for management is susceptible.", "description_and_impact": "A flaw in the Incus web UI causes it to accept any authentication token supplied via the launch URL, creating a session cookie without validating the token. This is a classic authentication bypass identified as CWE\u2011287. As a result, a local attacker who succeeds in finding the temporary web server can obtain the same access rights as the user who started incus webui, effectively elevating privileges on the host.", "risk_and_exploitability": "The CVSS score of 8.8 reflects high severity, and the exploit requires only local access to the random localhost port, making it feasible for a local user or a socially engineered victim. EPSS data is not available, and the issue is not listed in CISA\u2019s KEV catalog, but the high score indicates significant risk if the attack vector is realized. A successful bypass allows the attacker to control Incus instances, potentially affecting system resources and compromising host integrity."}}}}, "created": "2026-03-27T08:31:25.828405+00:00", "updated": "2026-03-27T09:22:48.643328+00:00", "vendors": ["lxc", "lxc$PRODUCT$incus"]}