Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-33897

CVE-2026-33897: Incus Privilege Escalation Vulnerability

CVE-2026-33897 is a privilege escalation flaw in Incus that allows arbitrary file reads and writes as root on the host server. This post explains its impact, affected versions, and mitigation steps.

Published:

CVE-2026-33897 Overview

CVE-2026-33897 is a critical vulnerability in Incus, a system container and virtual machine manager. The vulnerability exists in the pongo2 template implementation, where instance template files can be leveraged to perform arbitrary file read or write operations as root on the host server. This represents a severe container escape vulnerability that completely compromises the isolation guarantees of the containerization platform.

Incus allows for pongo2 templates within instances that can be used at various points in the instance lifecycle to template files inside of the instance. The implementation included file read/write functionality with the expectation that the pongo2 chroot feature would isolate all such access to the instance's filesystem. However, the chroot isolation mechanism is entirely skipped by pongo2, leading to unrestricted access to the entire host system's filesystem with root privileges.

Critical Impact

Authenticated attackers can escape container isolation to read and write arbitrary files on the host system with root privileges, leading to complete host compromise.

Affected Products

  • Incus versions prior to 6.23.0

Discovery Timeline

  • 2026-03-26 - CVE CVE-2026-33897 published to NVD
  • 2026-03-26 - Last updated in NVD database

Technical Details for CVE-2026-33897

Vulnerability Analysis

This vulnerability represents a critical container escape flaw (CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine) in Incus's pongo2 template implementation. The core issue stems from a fundamental failure in the security architecture where the chroot isolation mechanism—designed to restrict template file operations to the container's filesystem—is completely bypassed.

In a properly functioning system, when a pongo2 template attempts to read or write files, the chroot mechanism should constrain those operations to the instance's root filesystem. However, due to this vulnerability, the chroot isolation is entirely skipped, meaning template operations have unrestricted access to the host's filesystem with root privileges. This allows an attacker with the ability to create or modify instance templates to read sensitive files (such as /etc/shadow, SSH private keys, or application secrets) or write malicious content to critical system files.

The attack requires low privileges (an authenticated user who can manage containers) but can be exploited remotely over the network. The scope is changed because exploiting the vulnerability within a container directly impacts the host system.

Root Cause

The root cause is improper implementation of filesystem isolation in the pongo2 template engine integration. The chroot feature intended to sandbox template file operations is not properly enforced, allowing template operations to escape the container's filesystem boundary and access the host's root filesystem. This represents a template injection vulnerability where the template engine's file access capabilities are not properly constrained.

Attack Vector

The attack is network-accessible and requires low privileges (an authenticated user with container management capabilities). An attacker can craft malicious pongo2 templates that reference files outside the intended container filesystem. When these templates are processed during the instance lifecycle, the attacker gains the ability to read sensitive host files or write arbitrary content to the host filesystem, all executing with root privileges.

The vulnerability can be exploited by creating or modifying instance templates that use pongo2's file read/write functionality with path traversal sequences or absolute paths that target the host filesystem. Since the chroot isolation is bypassed, these operations succeed against the host's root filesystem rather than being constrained to the container.

Detection Methods for CVE-2026-33897

Indicators of Compromise

  • Unusual file access patterns from Incus container processes accessing paths outside container root directories
  • Template files containing suspicious path traversal sequences (e.g., ../../../etc/passwd) or absolute host paths
  • Unexpected modifications to sensitive host system files such as /etc/passwd, /etc/shadow, or SSH configuration
  • Log entries showing template processing with file operations targeting host filesystem paths

Detection Strategies

  • Monitor Incus instance template files for suspicious file read/write operations referencing paths outside expected container boundaries
  • Implement file integrity monitoring on critical host system files to detect unauthorized modifications
  • Audit container configuration changes and template modifications, particularly those involving file operations
  • Review Incus logs for template processing errors or unusual file access patterns

Monitoring Recommendations

  • Enable detailed logging for Incus template processing operations
  • Implement host-based intrusion detection to monitor for container escape attempts
  • Deploy SentinelOne Singularity Platform for real-time detection of suspicious file system operations and container escape techniques
  • Establish baseline behavioral patterns for normal Incus operations and alert on deviations

How to Mitigate CVE-2026-33897

Immediate Actions Required

  • Upgrade Incus to version 6.23.0 or later immediately to patch the vulnerability
  • Audit existing instance templates for any signs of malicious file operations or suspicious paths
  • Review container configurations and restrict template capabilities where possible until patching is complete
  • Implement network segmentation to limit access to Incus management interfaces

Patch Information

The vulnerability is patched in Incus version 6.23.0. Organizations should upgrade to this version or later to remediate the vulnerability. The patch properly enforces the chroot isolation mechanism for pongo2 template file operations, ensuring template file access is correctly constrained to the instance's filesystem. Refer to the GitHub Security Advisory for additional details.

Workarounds

  • Restrict access to Incus management interfaces to trusted administrators only until the patch can be applied
  • Disable or limit template functionality in instances if not required for operations
  • Implement strict network access controls to prevent unauthorized users from managing containers
  • Monitor and audit all template operations as an interim detection measure

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne