PT-2026-53013 · Incus · Incus

Published

2026-06-26

·

Updated

2026-07-07

·

CVE-2026-48752

CVSS v3.1

9.9

Critical

VectorAV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Incus (affected versions not specified)
Description A flaw exists where a specially crafted container image or instance backup can be used to read or create and write arbitrary files on the host, potentially leading to arbitrary command execution. The issue occurs because the software fails to reject a top-level templates symlink during tar extraction in internal/server/storage/utils.go and shared/archive/archive.go. Additionally, for instance backups, the rsync.LocalCopy function in internal/server/storage/drivers/driver dir volumes.go uses the -a argument without the --safe-links flag, allowing the same symlink exploitation. This enables a malicious actor to map the templates directory to an arbitrary host directory, such as /etc/cron.d, to modify system files.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-48752
GHSA-VXP5-584Q-C479
GO-2026-5803

Affected Products

Incus