Cyber Posture

CVE-2026-33898

High

Published: 27 March 2026

Published
27 March 2026
Modified
01 April 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0002 5.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33898 is a high-severity Improper Authentication (CWE-287) vulnerability in Linuxcontainers Incus. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 5.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-5 (Authenticator Management).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates the CVE by requiring identification, testing, and installation of software patches that fix the improper authentication token validation in Incus webui.

IA-5 Authenticator Management good match
prevent

Ensures proper management, protection, and validation of authentication tokens prior to use, addressing the webui's acceptance of invalid URL tokens.

AC-3 Access Enforcement good match
prevent

Mandates enforcement of approved access authorizations at the web server, preventing unauthorized access via flawed token handling in Incus webui.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Auth bypass in localhost web UI directly enables local privilege escalation (T1068) via port discovery and token bypass; also facilitates exploitation of the exposed management web server (T1190) for unauthorized Incus/container access, including with user-interaction vectors.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Incus is a system container and virtual machine manager. Prior to version 6.23.0, the web server spawned by `incus webui` incorrectly validates the authentication token such that an invalid value will be accepted. `incus webui` runs a local web server…

more

on a random localhost port. For authentication, it provides the user with a URL containing an authentication token. When accessed with that token, Incus creates a cookie persisting that token without needing to include it in subsequent HTTP requests. While the Incus client correctly validates the value of the cookie, it does not correctly validate the token when passed int the URL. This allows for an attacker able to locate and talk to the temporary web server on localhost to have as much access to Incus as the user who ran `incus webui`. This can lead to privilege escalation by another local user or an access to the user's Incus instances and possibly system resources by a remote attack able to trick the local user into interacting with the Incus UI web server. Version 6.23.0 patches the issue.

Deeper analysisAI

Incus, a system container and virtual machine manager, contains a vulnerability in versions prior to 6.23.0 where the local web server spawned by the `incus webui` command incorrectly validates authentication tokens passed in the URL. The `incus webui` utility starts a temporary web server on a random localhost port and generates a URL with an authentication token for user access. Upon initial access, it sets a cookie that persists the token for subsequent requests without revalidation. While the Incus client properly checks cookie values, it accepts invalid tokens in the URL, enabling unauthorized authentication.

An attacker with the ability to locate and connect to the localhost web server can exploit this to gain full access to Incus instances with the privileges of the user who invoked `incus webui`. Local attackers, such as another user on the same system, can achieve privilege escalation by discovering the random port and bypassing authentication. Remote attackers require user interaction, such as tricking the victim into accessing a malicious URL or interacting with the UI, potentially granting access to the victim's Incus instances and associated system resources. The issue scores 8.8 on CVSS v3.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and maps to CWE-287 (Improper Authentication).

The GitHub security advisory at https://github.com/lxc/incus/security/advisories/GHSA-453r-g2pg-cxxq details the flaw, confirming that upgrading to Incus version 6.23.0 resolves the token validation issue. No additional mitigations are specified beyond applying the patch.

Details

CWE(s)
CWE-287NVD-CWE-noinfo

Affected Products

linuxcontainers
incus
≤ 6.23.0

CVEs Like This One

CVE-2026-33945Same product: Linuxcontainers Incus
CVE-2026-23954Same product: Linuxcontainers Incus
CVE-2026-33711Same product: Linuxcontainers Incus
CVE-2026-33897Same product: Linuxcontainers Incus
CVE-2026-23953Same product: Linuxcontainers Incus
CVE-2024-57490Shared CWE-287
CVE-2025-67158Shared CWE-287
CVE-2026-33665Shared CWE-287
CVE-2026-0405Shared CWE-287
CVE-2025-56333Shared CWE-287

References