PT-2026-60773 · Proxmox Server Virtual Environment · Pve-Manager+2
CVE-2026-51082
·
Published
2026-07-17
·
Updated
2026-07-17
CVSS v3.1
7.2
High
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
pve-manager versions prior to 9.1.9
pve-manager versions prior to 8.4.19
qemu-server versions prior to 9.1.7
qemu-server versions prior to 8.4.7
pve-container versions prior to 6.1.3
pve-container versions prior to 5.3.4
Description
A race condition exists between the 'vncproxy' and 'vncwebsocket' API calls. This flaw allows a privileged attacker to use the 'vncproxy' endpoint to hijack a VNC session that is being established simultaneously by another user for a different virtual machine.
Recommendations
Update pve-manager to version 9.1.9 or later.
Update pve-manager to version 8.4.19 or later.
Update qemu-server to version 9.1.7 or later.
Update qemu-server to version 8.4.7 or later.
Update pve-container to version 6.1.3 or later.
Update pve-container to version 5.3.4 or later.
Fix
Race Condition
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Pve-Container
Pve-Manager
Qemu-Server