Can you explain this vulnerability to me?

CVE-2026-33898 is an authentication bypass vulnerability in the Incus web UI local server that affects versions prior to 6.23.0. The Incus web UI runs a local web server on a random localhost port and authenticates users by providing a URL containing an authentication token. When accessed with this token, Incus sets a cookie that persists the token for subsequent requests.

The vulnerability occurs because while the Incus client correctly validates the authentication token stored in the cookie, it fails to properly validate the token when it is passed directly in the URL. This flaw allows an attacker who can access the temporary web server on localhost to bypass authentication and gain the same level of access as the user who launched the Incus web UI.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can allow an attacker with access to the local Incus web server to bypass authentication and gain full access to the Incus instances and possibly system resources of the user who ran the Incus web UI.

• Privilege escalation by another local user.
• Remote attackers potentially tricking the local user into interacting with the Incus UI web server, leading to unauthorized access.
• Compromise of confidentiality, integrity, and availability of the affected system.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability affects the Incus web UI local server running on a random localhost port prior to version 6.23.0. Detection involves identifying if the vulnerable Incus version is running and if the local web server is active.

You can check the Incus version installed on your system with the command:

• incus --version

To detect if the Incus web UI server is running and listening on localhost ports, you can use commands like:

• ss -tuln | grep localhost
• netstat -tuln | grep 127.0.0.1

Additionally, monitoring HTTP requests to the local Incus web UI server for URLs containing authentication tokens may help identify attempts to exploit the vulnerability.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The primary mitigation step is to upgrade Incus to version 6.23.0 or later, where this authentication token validation issue has been fixed.

Until the upgrade can be performed, restrict access to the localhost ports used by the Incus web UI server to trusted users only, preventing untrusted local users or remote attackers from accessing the temporary web server.

Avoid interacting with suspicious URLs containing authentication tokens and educate users about the risk of being tricked into accessing malicious links that could exploit this vulnerability.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows an attacker to bypass authentication on the Incus local web UI, potentially gaining unauthorized access to user instances and system resources. Such unauthorized access can lead to exposure or modification of sensitive data, which may impact compliance with data protection regulations like GDPR and HIPAA that require strict controls on access to personal and protected health information.

Specifically, the high impact on confidentiality, integrity, and availability indicated by the CVSS score suggests that sensitive information could be compromised or altered, violating regulatory requirements for data security and privacy.

Therefore, organizations using vulnerable versions of Incus prior to 6.23.0 may face compliance risks if this vulnerability is exploited, emphasizing the importance of applying the patch to maintain regulatory compliance.

Useful 0 Not Useful 0