{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-33898/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Incus"],"_cs_severities":["high"],"_cs_tags":["cve-2026-33898","privilege-escalation","authentication-bypass","linux"],"_cs_type":"advisory","_cs_vendors":["Incus"],"content_html":"\u003cp\u003eIncus is a system container and virtual machine manager. Prior to version 6.23.0, the \u003ccode\u003eincus webui\u003c/code\u003e component contains an authentication bypass vulnerability (CVE-2026-33898). The vulnerability lies in the incorrect validation of authentication tokens by the web server spawned by \u003ccode\u003eincus webui\u003c/code\u003e. \u003ccode\u003eincus webui\u003c/code\u003e launches a local web server on a randomly assigned localhost port and issues a URL containing an authentication token for user access. While the Incus client correctly validates cookies, it fails to properly validate tokens passed directly in the URL. This flaw can be exploited by an attacker able to communicate with the temporary web server on localhost. Successful exploitation grants the attacker the same privileges as the user who initiated \u003ccode\u003eincus webui\u003c/code\u003e. This impacts system security as it may lead to privilege escalation or unauthorized access to Incus instances and potentially system resources. The vulnerability is resolved in Incus version 6.23.0.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user initiates the \u003ccode\u003eincus webui\u003c/code\u003e command, which spawns a temporary web server on a random localhost port (e.g., 127.0.0.1:8080).\u003c/li\u003e\n\u003cli\u003eIncus provides the user with a URL containing an authentication token (e.g., http://127.0.0.1:8080/?token=abcdef123456).\u003c/li\u003e\n\u003cli\u003eAn attacker gains access to the network or system where the Incus webui is running, and identifies the localhost port being used.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request to the \u003ccode\u003eincus webui\u003c/code\u003e web server, using a valid or even an invalid token in the URL. The vulnerability does not properly validate the token.\u003c/li\u003e\n\u003cli\u003eDue to the authentication bypass, the attacker is granted access to the Incus webui with the privileges of the user who started the \u003ccode\u003eincus webui\u003c/code\u003e instance.\u003c/li\u003e\n\u003cli\u003eIf the attacker is a local user, they can leverage their newly acquired privileges to escalate their access to the system.\u003c/li\u003e\n\u003cli\u003eThe attacker could manipulate Incus instances, access sensitive data, or potentially gain control of underlying system resources.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves privilege escalation or unauthorized access, depending on the attacker's initial location and goals.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33898 allows an attacker to gain the privileges of the user running \u003ccode\u003eincus webui\u003c/code\u003e. If the attacker is a local user, this results in privilege escalation, allowing them to perform actions they were previously unauthorized to do. A remote attacker who can trick a local user into interacting with the Incus web UI server could gain unauthorized access to Incus instances and potentially sensitive system resources. The CVSS v3.1 base score for this vulnerability is 8.8, indicating a high severity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Incus to version 6.23.0 or later to patch the vulnerability (CVE-2026-33898).\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to restrict access to the \u003ccode\u003eincus webui\u003c/code\u003e web server.\u003c/li\u003e\n\u003cli\u003eMonitor network connections to the \u003ccode\u003eincus webui\u003c/code\u003e web server for suspicious activity (see the network connection Sigma rule below).\u003c/li\u003e\n\u003cli\u003eAudit the use of \u003ccode\u003eincus webui\u003c/code\u003e in your environment and restrict its use to authorized personnel only.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-incus-auth-bypass/","summary":"Incus versions prior to 6.23.0 are vulnerable to an authentication bypass in the `incus webui` component, allowing local attackers to gain elevated privileges or remote attackers to access system resources by exploiting the incorrect validation of authentication tokens.","title":"Incus WebUI Authentication Bypass Vulnerability (CVE-2026-33898)","url":"https://feed.craftedsignal.io/briefs/2024-01-incus-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Cve-2026-33898","version":"https://jsonfeed.org/version/1.1"}