Platform
go
Component
github.com/lxc/incus
Fixed in
6.23.1
6.23.0
CVE-2026-33898 describes an authentication bypass vulnerability discovered in Incus, a Kubernetes-native storage orchestrator. This flaw allows attackers to circumvent authentication mechanisms and potentially gain unauthorized access to the Incus UI. The vulnerability affects versions prior to 6.23.0 and has been publicly disclosed on April 7, 2026. A fix is available in version 6.23.0.
Successful exploitation of CVE-2026-33898 allows an attacker to bypass authentication and directly access the Incus UI without proper credentials. This grants them the ability to perform actions within the UI as if they were an authenticated user, potentially including creating, modifying, or deleting storage resources. The blast radius is limited to the scope of actions possible within the Incus UI, but unauthorized access could lead to data breaches, service disruption, or even compromise of the underlying Kubernetes cluster if the UI is integrated with other critical systems. The lack of authentication controls significantly elevates the risk of malicious activity.
CVE-2026-33898 was publicly disclosed on April 7, 2026. The vulnerability is present in the Incus UI web server. Exploitation context and probability are currently assessed as medium due to the relatively recent disclosure and the potential for widespread deployment of vulnerable Incus instances. No public proof-of-concept exploits have been observed at the time of this writing, but the ease of exploitation makes it a potential target for opportunistic attackers. This vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.07% (22% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33898 is to upgrade Incus to version 6.23.0 or later, which contains the fix for this authentication bypass. If an immediate upgrade is not feasible, consider implementing stricter network segmentation to limit access to the Incus UI. Review and enforce strong access control policies within Kubernetes to minimize the potential impact of unauthorized UI access. Monitor Incus logs for any unusual activity or unauthorized access attempts. There are no specific WAF rules or detection signatures readily available for this specific vulnerability, so proactive monitoring and timely patching are crucial.
Update Incus to version 6.23.0 or higher. This version fixes the authentication bypass vulnerability in the local web interface.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33898 is a HIGH severity authentication bypass vulnerability in Incus versions prior to 6.23.0, allowing attackers to access the UI without credentials.
If you are running Incus versions earlier than 6.23.0, you are potentially affected by this vulnerability. Check your current version and upgrade immediately.
Upgrade Incus to version 6.23.0 or later to resolve this authentication bypass vulnerability. Follow the official Incus upgrade instructions.
While no active exploitation has been confirmed, the ease of exploitation makes it a potential target. Proactive patching is highly recommended.
Refer to the official Incus project website and GitHub repository for security advisories and updates related to CVE-2026-33898.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.