CVE-2026-33898

{"id": "CVE-2026-33898", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2026-03-27T00:16:23.333", "references": [{"url": "https://github.com/lxc/incus/security/advisories/GHSA-453r-g2pg-cxxq", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-287"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Incus is a system container and virtual machine manager. Prior to version 6.23.0, the web server spawned by `incus webui` incorrectly validates the authentication token such that an invalid value will be accepted. `incus webui` runs a local web server on a random localhost port. For authentication, it provides the user with a URL containing an authentication token. When accessed with that token, Incus creates a cookie persisting that token without needing to include it in subsequent HTTP requests. While the Incus client correctly validates the value of the cookie, it does not correctly validate the token when passed int the URL.\nThis allows for an attacker able to locate and talk to the temporary web server on localhost to have as much access to Incus as the user who ran `incus webui`. This can lead to privilege escalation by another local user or an access to the user's Incus instances and possibly system resources by a remote attack able to trick the local user into interacting with the Incus UI web server. Version 6.23.0 patches the issue."}, {"lang": "es", "value": "Incus es un gestor de contenedores de sistema y m\u00e1quinas virtuales. Antes de la versi\u00f3n 6.23.0, el servidor web generado por `incus webui` valida incorrectamente el token de autenticaci\u00f3n de tal manera que se acepta un valor no v\u00e1lido. `incus webui` ejecuta un servidor web local en un puerto localhost aleatorio. Para la autenticaci\u00f3n, proporciona al usuario una URL que contiene un token de autenticaci\u00f3n. Cuando se accede con ese token, Incus crea una cookie que persiste ese token sin necesidad de incluirlo en solicitudes HTTP posteriores. Si bien el cliente Incus valida correctamente el valor de la cookie, no valida correctamente el token cuando se pasa en la URL.\nEsto permite que un atacante capaz de localizar y comunicarse con el servidor web temporal en localhost tenga tanto acceso a Incus como el usuario que ejecut\u00f3 `incus webui`. Esto puede conducir a una escalada de privilegios por parte de otro usuario local o a un acceso a las instancias de Incus del usuario y posiblemente a los recursos del sistema por parte de un ataque remoto capaz de enga\u00f1ar al usuario local para que interact\u00fae con el servidor web de la interfaz de usuario de Incus. La versi\u00f3n 6.23.0 corrige el problema."}], "lastModified": "2026-04-01T16:09:31.703", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:linuxcontainers:incus:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CBE3ABCB-1D47-4A45-A09A-C9F609C53131", "versionEndExcluding": "6.23.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}