Plattform
go
Komponente
github.com/lxc/incus
Behoben in
6.23.1
6.23.0
CVE-2026-33897 describes an arbitrary file access vulnerability affecting Incus v6. This flaw allows malicious instance template files to perform unauthorized read or write operations as root on the host server. The vulnerability stems from the use of pongo2 templates within instances, which, due to a bypass of the intended chroot isolation, enables arbitrary file system access. This issue is resolved in Incus version 6.23.0.
CVE-2026-33897 represents a critical vulnerability in Incus, specifically within its handling of Pongo templates. An attacker could exploit this flaw to achieve arbitrary file read and write access on the system hosting the Incus daemon. The vulnerability stems from insufficient sanitization of user-supplied data used within these templates, allowing for template injection. A successful exploit could enable an attacker to read sensitive configuration files, credentials, or even application code stored on the server. Furthermore, the write capability allows for modification of system files, potentially leading to complete system compromise. The blast radius extends to any data accessible by the Incus daemon, which could include container images, volumes, and network configurations. This vulnerability poses a significant risk to environments utilizing Incus for container management, as it could be leveraged to gain unauthorized access and control over the underlying infrastructure. The ability to write arbitrary files elevates the risk from simple data exposure to full system takeover, making immediate remediation crucial.
Currently, there are no publicly available exploitation reports or proof-of-concept (POC) code for CVE-2026-33897, as indicated by the lack of entries in the Kernel Exploit Database (KEV). However, the critical severity rating (CVSS score of 9.9) highlights the potential for exploitation if a POC is developed and released. The vulnerability's nature – arbitrary file read and write – makes it a high-value target for attackers. While no active exploitation is known, the absence of public exploits does not diminish the urgency of patching. Organizations using Incus should prioritize remediation to prevent potential future exploitation. The ease with which template injection vulnerabilities can be exploited once a POC is available underscores the importance of proactive security measures.
Exploit-Status
EPSS
0.06% (17% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-33897 is to upgrade Incus to version 6.23.0 or later. This version incorporates the necessary fixes to properly sanitize user input within Pongo templates, preventing the template injection vulnerability. If upgrading is not immediately feasible, a temporary workaround involves restricting access to the Incus API endpoints responsible for template rendering. This can be achieved through network segmentation or access control lists, limiting the potential attack surface. However, this workaround is not a substitute for patching and should only be considered as a short-term measure. After applying the upgrade or implementing the workaround, it is essential to verify the fix by attempting to reproduce the vulnerability using known attack vectors. This verification step should include testing with various input payloads to ensure that the sanitization mechanisms are functioning correctly and that the vulnerability has been effectively eliminated. Regular security audits and vulnerability scanning are also recommended to proactively identify and address potential security weaknesses.
Actualice Incus a la versión 6.23.0 o superior. Esta versión corrige la vulnerabilidad que permite la lectura y escritura arbitraria de archivos en el servidor host a través de plantillas pongo2.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-33897 is a critical vulnerability in Incus that allows for arbitrary file read and write through improper handling of Pongo templates.
Versions of Incus prior to 6.23.0 are affected by this vulnerability.
Upgrade Incus to version 6.23.0 or later to resolve this vulnerability.
As of now, there are no public exploitation reports or proof-of-concept code available for CVE-2026-33897.
Refer to the National Vulnerability Database (NVD) entry for CVE-2026-33897 for more details: https://nvd.nist.gov/vuln/detail/CVE-2026-33897
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.