PT-2026-60773 · Proxmox Server Virtual Environment · Pve-Manager+2

CVE-2026-51082

·

Published

2026-07-17

·

Updated

2026-07-17

CVSS v3.1

7.2

High

VectorAV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions pve-manager versions prior to 9.1.9 pve-manager versions prior to 8.4.19 qemu-server versions prior to 9.1.7 qemu-server versions prior to 8.4.7 pve-container versions prior to 6.1.3 pve-container versions prior to 5.3.4
Description A race condition exists between the 'vncproxy' and 'vncwebsocket' API calls. This flaw allows a privileged attacker to use the 'vncproxy' endpoint to hijack a VNC session that is being established simultaneously by another user for a different virtual machine.
Recommendations Update pve-manager to version 9.1.9 or later. Update pve-manager to version 8.4.19 or later. Update qemu-server to version 9.1.7 or later. Update qemu-server to version 8.4.7 or later. Update pve-container to version 6.1.3 or later. Update pve-container to version 5.3.4 or later.

Fix

Race Condition

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-51082

Affected Products

Pve-Container
Pve-Manager
Qemu-Server