Skip to main content

Red Hat CVE-2026-33898

| EUVDEUVD-2026-16490 HIGH
Improper Authentication (CWE-287)
2026-03-26 GitHub_M
8.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
8.2 HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 26, 2026 - 23:31 euvd
EUVD-2026-16490
Analysis Generated
Mar 26, 2026 - 23:31 vuln.today
CVE Published
Mar 26, 2026 - 23:25 nvd
HIGH 8.8

DescriptionGitHub Advisory

Incus is a system container and virtual machine manager. Prior to version 6.23.0, the web server spawned by incus webui incorrectly validates the authentication token such that an invalid value will be accepted. incus webui runs a local web server on a random localhost port. For authentication, it provides the user with a URL containing an authentication token. When accessed with that token, Incus creates a cookie persisting that token without needing to include it in subsequent HTTP requests. While the Incus client correctly validates the value of the cookie, it does not correctly validate the token when passed int the URL. This allows for an attacker able to locate and talk to the temporary web server on localhost to have as much access to Incus as the user who ran incus webui. This can lead to privilege escalation by another local user or an access to the user's Incus instances and possibly system resources by a remote attack able to trick the local user into interacting with the Incus UI web server. Version 6.23.0 patches the issue.

AnalysisAI

Authentication bypass in Incus webui (versions prior to 6.23.0) permits local or remote attackers to gain unauthorized access to the system container and virtual machine manager via an improperly validated authentication token. The vulnerability allows attackers who can reach the temporary localhost web server to escalate privileges to the level of the user running 'incus webui', enabling control over containers, virtual machines, and potentially underlying system resources. CVSS score of 8.8 (High) reflects network attack vector with low complexity requiring user interaction; no public exploit identified at time of analysis.

Technical ContextAI

Incus is a system container and virtual machine manager developed by the LXC project (cpe:2.3:a:lxc:incus). The vulnerability stems from CWE-287 (Improper Authentication), specifically affecting the temporary web server spawned by the 'incus webui' command. The web server generates a random localhost port and provides users with a URL containing an authentication token. While the server correctly validates the token when stored in cookies, it fails to properly validate the token when passed directly in the URL query string. This dual-path authentication weakness creates an exploitable condition where malformed or invalid tokens in URL parameters are incorrectly accepted, bypassing the intended authentication mechanism entirely.

RemediationAI

Upgrade Incus to version 6.23.0 or later, which contains the vendor-released patch addressing the authentication validation flaw (see https://github.com/lxc/incus/security/advisories/GHSA-453r-g2pg-cxxq). Until patching is feasible, restrict use of the 'incus webui' command on multi-user systems, implement network isolation to prevent unauthorized localhost access, and educate users to avoid clicking untrusted links while the webui server is active. Organizations should audit who has access to execute Incus commands and consider disabling webui functionality in environments where local privilege escalation poses elevated risk. Review system logs for unexpected webui invocations or authentication attempts during the vulnerable period.

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed

Share

CVE-2026-33898 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy