CVE-2026-40243

Name of the Vulnerable Software and Affected Versions Incus versions prior to 7.0.0

Description Broken TLS validation logic in the OVN database connection logic allows connections to an attacker's OVN database. The OVN client implementations disable standard Go TLS server verification and use a custom peer-certificate verification logic that fails to anchor trust in the configured CA certificate. Instead, the system constructs the verification root set from certificates supplied by the peer during the handshake, meaning the configured CA is parsed but ignored for the final verification decision.

In OVN-enabled deployments using these SSL database connection paths, an attacker capable of impersonating or intercepting the OVN endpoint on the management network can present a rogue self-signed certificate chain, which Incus will accept as valid. This affects authenticated connections to the OVN northbound and southbound databases, which serve as authoritative control-plane interfaces for logical network configuration and distribution. This failure in the CA-based trust model permits endpoint impersonation by an active attacker in a suitable network position.

Recommendations Update to version 7.0.0.