CVE-2026-51082
Received
Received - Intake
Race Condition in Proxmox Virtual Environment VNC Session Hijacking
Vulnerability report for CVE-2026-51082, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-07-17
Last updated on: 2026-07-17
Assigner: MITRE
Description
Description
A race condition between the vncproxy and vncwebsocket API calls in Proxmox Virtual Environment (PVE) 9.x pve-manager before 9.1.9 and 8.x before 8.4.19; qemu-server 9.x before 9.1.7 and 8.x before 8.4.7; and pve-container before 6.1.3 (PVE 9.x) and before 5.3.4 (PVE 8.x) allows an attacker with privileges to call "vncproxy" to hijack a VNC session that is established in parallel by a different user for a different VM.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| proxmox | pve_manager | to 9.1.9 (exc) |
| proxmox | qemu_server | to 9.1.7 (exc) |
| proxmox | pve_container | to 6.1.3 (exc) |
| proxmox | pve_container | to 5.3.4 (exc) |
| proxmox | pve_manager | to 8.4.19 (exc) |
| proxmox | qemu_server | to 8.4.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-362 | The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently. |