CVE-2026-33898 - Vulnerability Analysis
HighCVSS: 8.8Last Updated: March 27, 2026
Incus - Authentication Bypass
Published: March 27, 2026Updated: March 27, 2026Remote Exploitable
Overview
Incus prior to 6.23.0 contains an authentication bypass caused by incorrect validation of authentication tokens in the URL in the incus webui local web server, letting attackers with local or remote access escalate privileges or access user instances, exploit requires attacker to locate and interact with the local web server.
Severity & Score
Severity: High
CVSS Score: 8.8
Impact
Attackers can escalate privileges or access user Incus instances and system resources by exploiting token validation flaws in the local web server.
Mitigation
Update to version 6.23.0 or later.
Related Resources
Details
- CVE ID
- CVE-2026-33898
- Severity
- High
- CVSS Score
- 8.8
- Type
- broken_authentication
- Status
- new
CWE
- CWE-287
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H