CVE-2026-33898

Name of the Vulnerable Software and Affected Versions Incus versions prior to 6.23.0

Description Incus is a system container and virtual machine manager. Prior to version 6.23.0, the web server initiated by incus webui does not properly validate authentication tokens, accepting invalid values. incus webui operates a local web server on a random localhost port, providing a URL with an authentication token for access. Upon access, Incus creates a cookie to persist the token, eliminating the need to include it in subsequent HTTP requests. While the Incus client correctly validates the cookie, it fails to validate the token when passed in the URL. This allows an attacker who can access the temporary web server on localhost to gain the same level of access as the user who launched incus webui, potentially leading to privilege escalation by another local user or access to the user's Incus instances and system resources by a remote attacker who can trick the local user into interacting with the Incus UI web server.

Recommendations Update to Incus version 6.23.0 or later.