Platform
go
Component
github.com/lxc/incus/v6/cmd/incusd
Fixed in
6.1.1
6.0.6
6.20.1
CVE-2026-23954 is a critical remote code execution (RCE) vulnerability affecting Incus, a Kubernetes-native container management system. An attacker with the ability to launch containers using custom images can exploit a flaw in the templating functionality to achieve arbitrary file read and write on the host system, ultimately leading to command execution. This vulnerability impacts Incus versions prior to 6.1.1 and also affects IncusOS. A fix is available in version 6.1.1.
The impact of CVE-2026-23954 is severe. Successful exploitation allows an attacker to gain complete control over the host system running Incus. This can lead to data breaches, system compromise, and the potential for lateral movement within the network. The vulnerability stems from insufficient validation of paths within the templating engine when processing container image metadata. An attacker can craft a malicious metadata.yaml file containing symbolic links or directory traversal sequences to manipulate file access and execute arbitrary commands. This is particularly concerning in environments where container users have elevated privileges or access to sensitive data.
CVE-2026-23954 was publicly disclosed on January 22, 2026. The vulnerability's exploitation context is currently unclear, but the combination of RCE and the ability to launch custom containers makes it a high-priority concern. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature suggests a potential for rapid exploitation. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.05% (15% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-23954 is to upgrade to Incus version 6.1.1 or later. If an immediate upgrade is not possible, consider restricting container user privileges to minimize the potential impact of exploitation. Implement strict image scanning and validation policies to prevent the deployment of malicious container images. While a direct WAF rule is unlikely, consider implementing network segmentation to limit the blast radius of a potential compromise. Monitor container logs for unusual file access patterns or command execution attempts.
Actualice Incus a una versión superior a 6.20.0 o a la versión 6.0.6, cuando estén disponibles. Esto corregirá la vulnerabilidad de lectura y escritura arbitraria de archivos en el host a través de la funcionalidad de plantillas.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-23954 is a high-severity remote code execution vulnerability in Incus versions prior to 6.1.1. It allows attackers to execute arbitrary commands on the host system through manipulation of container image templates.
If you are running Incus versions prior to 6.1.1, you are potentially affected by this vulnerability. Assess your environment and prioritize upgrading to the patched version.
Upgrade Incus to version 6.1.1 or later to address this vulnerability. Review and restrict container user privileges as an interim measure.
While no active exploitation has been publicly confirmed, the vulnerability's nature suggests a potential for rapid exploitation. Monitor your systems closely.
Refer to the official Incus security advisory for detailed information and updates: [https://github.com/lxc/incus/security/advisories/GHSA-xxxx-xxxx-xxxx](Replace with actual advisory URL when available)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.