Home / Vulnerability Intelligence / CVE-2026-33898

CVE-2026-33898 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: March 27, 2026

Incus - Authentication Bypass

Published: March 27, 2026Updated: March 27, 2026Remote Exploitable

Overview

Incus prior to 6.23.0 contains an authentication bypass caused by incorrect validation of authentication tokens in the URL in the incus webui local web server, letting attackers with local or remote access escalate privileges or access user instances, exploit requires attacker to locate and interact with the local web server.

Severity & Score

Severity: High

CVSS Score: 8.8

EPSS Score: 6.1%(Probability of exploitation in next 30 days)

Impact

Attackers can escalate privileges or access user Incus instances and system resources by exploiting token validation flaws in the local web server.

Mitigation

Update to version 6.23.0 or later.

References

https://github.com/lxc/incus/security/advisories/GHSA-453r-g2pg-cxxq

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 29, 2026

🟠 CVE-2026-33898 - High (8.8) Incus is a system container and virtual machine manager. Prior to version 6.23.0, the web server spawned by `incus webui` incorrectly validates the authentication token such that an invalid value will be accepted. `incus webui` runs a local web se... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-33898/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-33898
Severity: High
CVSS Score: 8.8
Type: broken_authentication
Status: new
EPSS: 6.1%
Social Posts: 1

CWE

CWE-287

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score

6.1%Probability of exploitation in the next 30 days