Description
Incus is a system container and virtual machine manager. In versions before 7.0.0, broken TLS validation logic in the OVN database connection logic can allow connections to an attacker's OVN database. The OVN client implementations disable Go standard TLS server verification and replace it with custom peer-certificate verification logic. That replacement verifier does not anchor trust in the configured CA certificate. Instead, it constructs the verification root set from certificates supplied by the peer during the handshake, so the configured CA is parsed but not used as the trust anchor for the final verification decision.

In OVN-enabled deployments that use these SSL database connection paths, an attacker able to impersonate or intercept the OVN endpoint on the management network can present a rogue self-signed certificate chain, and Incus will accept this certificate as valid. This issue defeats the intended CA-based trust model for OVN database connections and permits endpoint impersonation by an active attacker in a suitable network position. This issue is fixed in version 7.0.0.
Published: 2026-05-06
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In versions of Incus prior to 7.0.0, the OVN database connection logic uses custom TLS peer‑certificate verification that disregards the configured CA root and instead accepts any certificate chain supplied by the peer during the handshake. This flaw enables an active attacker who can intercept or impersonate the OVN endpoint on the management network to present a rogue self‑signed certificate, which the system will treat as valid. The result is that the attacker can read, modify, or drop traffic to the OVN database and gain unauthorized control over virtual networking for both containers and virtual machines.

Affected Systems

The vulnerability affects the Incus container and virtual machine manager provided by the lxc:incus vendor. Versions earlier than 7.0.0 are impacted; Incidentally, only deployments that use the SSL database connection paths are susceptible. All other versions and vendors are not affected.

Risk and Exploitability

The CVSS score of 2.3 indicates a low severity impact, and no EPSS score is available. The vulnerability is not listed in the CISA KEV catalog. The attack requires an attacker in a position to intercept the OVN control plane connection, such as within the same subnet or with compromised network equipment. Once in position, no additional user privileges are needed, and the attacker can impersonate the OVN endpoint without detection.

Generated by OpenCVE AI on May 6, 2026 at 22:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Incus to version 7.0.0 or later to apply the fixed TLS verification logic.
  • Ensure that OVN database connections use the standard Go TLS verification and that the configured CA root is properly anchored; avoid custom peer‑certificate verification that ignores the CA.
  • Implement network segmentation or firewall rules to restrict access to the OVN control plane so that only trusted hosts can reach the OVN endpoint.

Generated by OpenCVE AI on May 6, 2026 at 22:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6244-1 incus security update
Github GHSA Github GHSA GHSA-c839-4qxr-j4x3 Incus has an OVN TLS Verification that Accepts Peer-Supplied Roots
History

Thu, 07 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 06 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Lxc
Lxc incus
Vendors & Products Lxc
Lxc incus

Wed, 06 May 2026 21:00:00 +0000

Type Values Removed Values Added
Description Incus is a system container and virtual machine manager. In versions before 7.0.0, broken TLS validation logic in the OVN database connection logic can allow connections to an attacker's OVN database. The OVN client implementations disable Go standard TLS server verification and replace it with custom peer-certificate verification logic. That replacement verifier does not anchor trust in the configured CA certificate. Instead, it constructs the verification root set from certificates supplied by the peer during the handshake, so the configured CA is parsed but not used as the trust anchor for the final verification decision. In OVN-enabled deployments that use these SSL database connection paths, an attacker able to impersonate or intercept the OVN endpoint on the management network can present a rogue self-signed certificate chain, and Incus will accept this certificate as valid. This issue defeats the intended CA-based trust model for OVN database connections and permits endpoint impersonation by an active attacker in a suitable network position. This issue is fixed in version 7.0.0.
Title Incus OVN TLS verification accepts peer-supplied roots and permits endpoint impersonation
Weaknesses CWE-295
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Lxc Incus
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-07T14:03:42.997Z

Reserved: 2026-04-10T17:31:45.785Z

Link: CVE-2026-40243

cve-icon Vulnrichment

Updated: 2026-05-07T14:02:07.269Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-06T21:16:01.070

Modified: 2026-05-07T15:16:05.950

Link: CVE-2026-40243

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T22:45:13Z

Weaknesses