CVE-2026-33898 Overview
CVE-2026-33898 is an authentication bypass vulnerability in Incus, a system container and virtual machine manager developed by LinuxContainers. The vulnerability exists in the incus webui command, where the web server incorrectly validates authentication tokens passed via URL parameters. While the Incus client correctly validates the value of cookies containing the token, it fails to properly validate the token when passed directly in the URL, allowing attackers to bypass authentication controls.
Critical Impact
Successful exploitation allows an attacker to gain unauthorized access to Incus with the same privileges as the user who ran incus webui, potentially leading to privilege escalation, unauthorized access to containers and virtual machines, and compromise of system resources.
Affected Products
- Linuxcontainers Incus versions prior to 6.23.0
- Systems running incus webui with the vulnerable authentication mechanism
- All platforms where Incus is deployed with web UI functionality enabled
Discovery Timeline
- 2026-03-27 - CVE CVE-2026-33898 published to NVD
- 2026-04-01 - Last updated in NVD database
Technical Details for CVE-2026-33898
Vulnerability Analysis
The vulnerability stems from a critical flaw in the authentication token validation logic within the incus webui command. When a user runs incus webui, the system spawns a local web server on a random localhost port and provides the user with a URL containing an authentication token. Upon accessing this URL, Incus creates a persistent cookie that stores the token, eliminating the need to include it in subsequent HTTP requests.
The core issue lies in the inconsistent validation approach: while the Incus client properly validates tokens stored in cookies, it fails to apply the same rigorous validation to tokens passed directly through URL parameters. This validation gap means that invalid or malformed tokens may be incorrectly accepted when submitted via the URL.
Root Cause
The root cause is improper authentication validation (CWE-287) where the application implements different validation paths for the same authentication token depending on how it is transmitted. The URL-based token validation path lacks the security controls present in the cookie-based validation, creating an authentication bypass condition.
Attack Vector
The attack can be executed through two primary scenarios:
Local Privilege Escalation: Another user on the same system who can locate and communicate with the temporary web server on localhost can exploit this vulnerability to gain the same level of access to Incus as the legitimate user who initiated the web UI session.
Remote Social Engineering: A remote attacker could potentially trick a local user into interacting with a malicious request to the Incus UI web server. If successful, this could grant the attacker access to the user's Incus instances and potentially underlying system resources.
The attack requires the ability to reach the localhost web server and knowledge of or the ability to guess the random port being used. The vulnerability affects the network attack vector with low complexity, requiring no privileges but some user interaction.
Detection Methods for CVE-2026-33898
Indicators of Compromise
- Unexpected authentication sessions in Incus web UI logs without corresponding valid token generation
- Multiple connection attempts to random localhost ports from unusual processes or users
- Anomalous access patterns to container or VM resources by users who did not initiate incus webui sessions
- Evidence of privilege escalation or unauthorized container manipulation
Detection Strategies
- Monitor for unusual inter-process communication patterns targeting localhost ports used by incus webui
- Implement logging to track authentication token usage and flag invalid tokens that result in successful authentication
- Deploy endpoint detection to identify suspicious processes attempting to interact with the Incus web server
- Audit user sessions and correlate incus webui invocations with actual authenticated activity
Monitoring Recommendations
- Enable verbose logging for Incus web UI sessions to capture authentication events
- Configure alerts for multiple failed or unusual authentication attempts against the local web server
- Monitor system user activity for lateral movement patterns following Incus web UI access
- Implement network segmentation monitoring to detect unauthorized localhost port scanning
How to Mitigate CVE-2026-33898
Immediate Actions Required
- Upgrade Incus to version 6.23.0 or later immediately to patch the vulnerability
- Avoid using incus webui on shared or multi-user systems until the patch is applied
- Review access logs for any signs of unauthorized access to Incus resources
- Restrict local user access to systems where Incus web UI is commonly used
Patch Information
LinuxContainers has released version 6.23.0 of Incus which addresses this authentication bypass vulnerability. The patch corrects the token validation logic to ensure consistent security checks regardless of whether the token is passed via URL parameter or cookie. Administrators should update to this version as soon as possible. For detailed information, refer to the GitHub Security Advisory GHSA-453r-g2pg-cxxq.
Workarounds
- Disable or avoid using the incus webui command on systems with multiple users until patched
- Use alternative Incus management methods such as CLI or API access that do not rely on the vulnerable web UI
- Implement local firewall rules to restrict access to localhost ports used by the web UI to only the intended user process
- Consider running Incus web UI sessions only in isolated environments or containers to limit potential impact
# Upgrade Incus to patched version
# For systems using snap:
sudo snap refresh incus --channel=latest/stable
# Verify installed version is 6.23.0 or later
incus version
# If unable to upgrade immediately, avoid using web UI
# Use CLI commands instead for container management
incus list
incus exec <container-name> -- /bin/bash
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
