Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionGitHub Advisory
Incus is a system container and virtual machine manager. Prior to version 6.23.0, the web server spawned by incus webui incorrectly validates the authentication token such that an invalid value will be accepted. incus webui runs a local web server on a random localhost port. For authentication, it provides the user with a URL containing an authentication token. When accessed with that token, Incus creates a cookie persisting that token without needing to include it in subsequent HTTP requests. While the Incus client correctly validates the value of the cookie, it does not correctly validate the token when passed int the URL. This allows for an attacker able to locate and talk to the temporary web server on localhost to have as much access to Incus as the user who ran incus webui. This can lead to privilege escalation by another local user or an access to the user's Incus instances and possibly system resources by a remote attack able to trick the local user into interacting with the Incus UI web server. Version 6.23.0 patches the issue.
AnalysisAI
Authentication bypass in Incus webui (versions prior to 6.23.0) permits local or remote attackers to gain unauthorized access to the system container and virtual machine manager via an improperly validated authentication token. The vulnerability allows attackers who can reach the temporary localhost web server to escalate privileges to the level of the user running 'incus webui', enabling control over containers, virtual machines, and potentially underlying system resources. CVSS score of 8.8 (High) reflects network attack vector with low complexity requiring user interaction; no public exploit identified at time of analysis.
Technical ContextAI
Incus is a system container and virtual machine manager developed by the LXC project (cpe:2.3:a:lxc:incus). The vulnerability stems from CWE-287 (Improper Authentication), specifically affecting the temporary web server spawned by the 'incus webui' command. The web server generates a random localhost port and provides users with a URL containing an authentication token. While the server correctly validates the token when stored in cookies, it fails to properly validate the token when passed directly in the URL query string. This dual-path authentication weakness creates an exploitable condition where malformed or invalid tokens in URL parameters are incorrectly accepted, bypassing the intended authentication mechanism entirely.
RemediationAI
Upgrade Incus to version 6.23.0 or later, which contains the vendor-released patch addressing the authentication validation flaw (see https://github.com/lxc/incus/security/advisories/GHSA-453r-g2pg-cxxq). Until patching is feasible, restrict use of the 'incus webui' command on multi-user systems, implement network isolation to prevent unauthorized localhost access, and educate users to avoid clicking untrusted links while the webui server is active. Organizations should audit who has access to execute Incus commands and consider disabling webui functionality in environments where local privilege escalation poses elevated risk. Review system logs for unexpected webui invocations or authentication attempts during the vulnerable period.
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16490