Plattform
go
Komponente
github.com/lxc/incus
Behoben in
6.23.1
6.23.0
CVE-2026-33898 describes an authentication bypass vulnerability discovered in Incus, a Kubernetes-native storage orchestrator. This flaw allows attackers to circumvent authentication mechanisms and potentially gain unauthorized access to the Incus UI. The vulnerability affects versions prior to 6.23.0 and has been publicly disclosed on April 7, 2026. A fix is available in version 6.23.0.
Successful exploitation of CVE-2026-33898 allows an attacker to bypass authentication and directly access the Incus UI without proper credentials. This grants them the ability to perform actions within the UI as if they were an authenticated user, potentially including creating, modifying, or deleting storage resources. The blast radius is limited to the scope of actions possible within the Incus UI, but unauthorized access could lead to data breaches, service disruption, or even compromise of the underlying Kubernetes cluster if the UI is integrated with other critical systems. The lack of authentication controls significantly elevates the risk of malicious activity.
CVE-2026-33898 was publicly disclosed on April 7, 2026. The vulnerability is present in the Incus UI web server. Exploitation context and probability are currently assessed as medium due to the relatively recent disclosure and the potential for widespread deployment of vulnerable Incus instances. No public proof-of-concept exploits have been observed at the time of this writing, but the ease of exploitation makes it a potential target for opportunistic attackers. This vulnerability is not currently listed on the CISA KEV catalog.
Organizations deploying Incus for container storage orchestration are at risk. This includes Kubernetes environments utilizing Incus for persistent volumes and storage management. Specifically, environments with exposed Incus UI endpoints without proper network segmentation or access controls are particularly vulnerable.
• linux / server:
journalctl -u incus -g 'authentication bypass'• generic web:
curl -I http://<incus_ip>/ui/ | grep 'WWW-Authenticate'• generic web:
curl -I http://<incus_ip>/ui/ | grep 'Authorization: Basic'disclosure
Exploit-Status
EPSS
0.07% (22% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-33898 is to upgrade Incus to version 6.23.0 or later, which contains the fix for this authentication bypass. If an immediate upgrade is not feasible, consider implementing stricter network segmentation to limit access to the Incus UI. Review and enforce strong access control policies within Kubernetes to minimize the potential impact of unauthorized UI access. Monitor Incus logs for any unusual activity or unauthorized access attempts. There are no specific WAF rules or detection signatures readily available for this specific vulnerability, so proactive monitoring and timely patching are crucial.
Actualice Incus a la versión 6.23.0 o superior. Esta versión corrige la vulnerabilidad de omisión de autenticación en la interfaz web local.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-33898 is a HIGH severity authentication bypass vulnerability in Incus versions prior to 6.23.0, allowing attackers to access the UI without credentials.
If you are running Incus versions earlier than 6.23.0, you are potentially affected by this vulnerability. Check your current version and upgrade immediately.
Upgrade Incus to version 6.23.0 or later to resolve this authentication bypass vulnerability. Follow the official Incus upgrade instructions.
While no active exploitation has been confirmed, the ease of exploitation makes it a potential target. Proactive patching is highly recommended.
Refer to the official Incus project website and GitHub repository for security advisories and updates related to CVE-2026-33898.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.