Description
Incus is a system container and virtual machine manager. Prior to version 6.23.0, the web server spawned by `incus webui` incorrectly validates the authentication token such that an invalid value will be accepted. `incus webui` runs a local web server on a random localhost port. For authentication, it provides the user with a URL containing an authentication token. When accessed with that token, Incus creates a cookie persisting that token without needing to include it in subsequent HTTP requests. While the Incus client correctly validates the value of the cookie, it does not correctly validate the token when passed int the URL.
This allows for an attacker able to locate and talk to the temporary web server on localhost to have as much access to Incus as the user who ran `incus webui`. This can lead to privilege escalation by another local user or an access to the user's Incus instances and possibly system resources by a remote attack able to trick the local user into interacting with the Incus UI web server. Version 6.23.0 patches the issue.
Published: 2026-03-26
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Local authentication bypass leading to privilege escalation
Action: Immediate Patch
AI Analysis

Impact

Incus, a container and virtual machine manager, runs a temporary local web server when the web UI is launched. The server fails to properly validate the authentication token supplied in the URL, accepting any token value. The token is then stored in a cookie without further verification, allowing an attacker who can reach the localhost port to authenticate as the original user. This flaw enables unauthorized access to all Incus instances and potentially system resources, constituting a significant privilege escalation risk.

Affected Systems

The vulnerability affects all LXC Incus installations prior to version 6.23.0. Users running any earlier Incus release that launches the web UI (incus webui) are at risk, while versions 6.23.0 and newer have the issue remediated.

Risk and Exploitability

The flaw carries a CVSS score of 8.8, indicating high severity, yet the EPSS score is below 1% and the vulnerability is not listed in the CISA KEV catalog, suggesting low current exploitation likelihood. Nevertheless, the attack vector is local: an attacker must be able to connect to the random localhost port used by the web UI. A remote attacker could potentially manipulate a local user into accessing the token URL, turning the vulnerability into a social‑engineering vector. Given the severity score, the risk remains high.

Generated by OpenCVE AI on April 2, 2026 at 04:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Incus 6.23.0 or later to receive the patch that validates the authentication token correctly.
  • If an upgrade is not feasible, isolate the web UI port by configuring the host firewall to block all inbound traffic to the localhost port used by incus webui, preventing other local users or services from connecting.
  • Disable the web UI feature if it is unnecessary, or restrict its usage to trusted contexts only.
  • Monitor for unexpected HTTP servers listening on local ports that could indicate exploitation attempts.

Generated by OpenCVE AI on April 2, 2026 at 04:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-453r-g2pg-cxxq Local Incus UI web server vulnerable to nuthentication bypass
History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Linuxcontainers
Linuxcontainers incus
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:linuxcontainers:incus:*:*:*:*:*:*:*:*
Vendors & Products Linuxcontainers
Linuxcontainers incus

Mon, 30 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-303
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Lxc
Lxc incus
Vendors & Products Lxc
Lxc incus

Fri, 27 Mar 2026 04:00:00 +0000

Type Values Removed Values Added
Description Incus is a system container and virtual machine manager. Prior to version 6.23.0, the web server spawned by `incus webui` incorrectly validates the authentication token such that an invalid value will be accepted. `incus webui` runs a local web server on a random localhost port. For authentication, it provides the user with a URL containing an authentication token. When accessed with that token, Incus creates a cookie persisting that token without needing to include it in subsequent HTTP requests. While the Incus client correctly validates the value of the cookie, it does not correctly validate the token when passed int the URL. This allows for an attacker able to locate and talk to the temporary web server on localhost to have as much access to Incus as the user who ran `incus webui`. This can lead to privilege escalation by another local user or an access to the user's Incus instances and possibly system resources by a remote attack able to trick the local user into interacting with the Incus UI web server. Version 6.23.0 patches the issue.
Title Local Incus UI web server vulnerable to nuthentication bypass
Weaknesses CWE-287
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Linuxcontainers Incus
Lxc Incus
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-30T11:48:28.483Z

Reserved: 2026-03-24T15:41:47.490Z

Link: CVE-2026-33898

cve-icon Vulnrichment

Updated: 2026-03-30T11:48:24.512Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T00:16:23.333

Modified: 2026-04-01T16:09:31.703

Link: CVE-2026-33898

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-26T23:25:45Z

Links: CVE-2026-33898 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:56:05Z

Weaknesses