Description
Incus is a system container and virtual machine manager. Prior to version 6.23.0, the web server spawned by `incus webui` incorrectly validates the authentication token such that an invalid value will be accepted. `incus webui` runs a local web server on a random localhost port. For authentication, it provides the user with a URL containing an authentication token. When accessed with that token, Incus creates a cookie persisting that token without needing to include it in subsequent HTTP requests. While the Incus client correctly validates the value of the cookie, it does not correctly validate the token when passed int the URL.
This allows for an attacker able to locate and talk to the temporary web server on localhost to have as much access to Incus as the user who ran `incus webui`. This can lead to privilege escalation by another local user or an access to the user's Incus instances and possibly system resources by a remote attack able to trick the local user into interacting with the Incus UI web server. Version 6.23.0 patches the issue.
Published: 2026-03-26
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Patch Immediately
AI Analysis

Impact

A flaw in the Incus web UI causes it to accept any authentication token supplied via the launch URL, creating a session cookie without validating the token. This is a classic authentication bypass identified as CWE‑287. As a result, a local attacker who succeeds in finding the temporary web server can obtain the same access rights as the user who started incus webui, effectively elevating privileges on the host.

Affected Systems

Incus, the LXC container and virtual machine manager, is affected in all releases prior to version 6.23.0. The vulnerability resides in the web server component initiated by the incus webui command and exposes a random localhost port for clients. Any deployment that uses the web UI for management is susceptible.

Risk and Exploitability

The CVSS score of 8.8 reflects high severity, and the exploit requires only local access to the random localhost port, making it feasible for a local user or a socially engineered victim. EPSS data is not available, and the issue is not listed in CISA’s KEV catalog, but the high score indicates significant risk if the attack vector is realized. A successful bypass allows the attacker to control Incus instances, potentially affecting system resources and compromising host integrity.

Generated by OpenCVE AI on March 27, 2026 at 07:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Incus 6.23.0 or later to correct the token validation logic
  • If an immediate update is not possible, avoid launching incus webui until the patch is applied
  • Restrict local traffic to the random port used by incus webui or disable the web UI entirely until a fix is available

Generated by OpenCVE AI on March 27, 2026 at 07:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-303
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Lxc
Lxc incus
Vendors & Products Lxc
Lxc incus

Fri, 27 Mar 2026 04:00:00 +0000

Type Values Removed Values Added
Description Incus is a system container and virtual machine manager. Prior to version 6.23.0, the web server spawned by `incus webui` incorrectly validates the authentication token such that an invalid value will be accepted. `incus webui` runs a local web server on a random localhost port. For authentication, it provides the user with a URL containing an authentication token. When accessed with that token, Incus creates a cookie persisting that token without needing to include it in subsequent HTTP requests. While the Incus client correctly validates the value of the cookie, it does not correctly validate the token when passed int the URL. This allows for an attacker able to locate and talk to the temporary web server on localhost to have as much access to Incus as the user who ran `incus webui`. This can lead to privilege escalation by another local user or an access to the user's Incus instances and possibly system resources by a remote attack able to trick the local user into interacting with the Incus UI web server. Version 6.23.0 patches the issue.
Title Local Incus UI web server vulnerable to nuthentication bypass
Weaknesses CWE-287
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Lxc Incus
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T23:25:45.249Z

Reserved: 2026-03-24T15:41:47.490Z

Link: CVE-2026-33898

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-27T00:16:23.333

Modified: 2026-03-27T00:16:23.333

Link: CVE-2026-33898

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-26T23:25:45Z

Links: CVE-2026-33898 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:22:48Z

Weaknesses