Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 5e18c8949edc · 2026-03-27T17:23:28.000Z
GHSA-453r-g2pg-cxxq GHSA-q4q8-7f2j-9h9f
diff --git a/advisories/github-reviewed/2026/03/GHSA-453r-g2pg-cxxq/GHSA-453r-g2pg-cxxq.json b/advisories/github-reviewed/2026/03/GHSA-453r-g2pg-cxxq/GHSA-453r-g2pg-cxxq.json
@@ -0,0 +1,69 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-453r-g2pg-cxxq",
+  "modified": "2026-03-27T17:21:31Z",
+  "published": "2026-03-27T17:21:31Z",
+  "aliases": [
+    "CVE-2026-33898"
+  ],
+  "summary": "Local Incus UI web server vulnerable to nuthentication bypass",
+  "details": "### Summary\nThe web server spawned by `incus webui` incorrectly validates the authentication token such that an invalid value will be accepted.\n\n### Details\n`incus webui` runs a local web server on a random localhost port. For authentication, it provides the user with a URL containing an authentication token. When accessed with that token, Incus creates a cookie persisting that token without needing to include it in subsequent HTTP requests.\n\nWhile the Incus client correctly validates the value of the cookie, it does not correctly validate the token when passed int the URL.\nThis allows for an attacker able to locate and talk to the temporary web server on localhost to have as much access to Incus as the user who ran `incus webui`.\n\nThis can lead to privilege escalation by another local user or an access to the user's Incus instances and possibly system resources by a remote attack able to trick the local user into interacting with the Incus UI web server.\n\n### Credit\nThis issue was discovered and reported by the team at [7asecurity](https://7asecurity.com/)",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/lxc/incus/v6/cmd/incus"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "6.23.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/lxc/incus/security/advisories/GHSA-453r-g2pg-cxxq"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33898"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/lxc/incus/commit/d81d49e746e15dad35de39dc0ace0cedfba7d2f7"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/lxc/incus"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/lxc/incus/releases/tag/v6.23.0"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-287"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-27T17:21:31Z",
+    "nvd_published_at": "2026-03-27T00:16:23Z"
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-q4q8-7f2j-9h9f/GHSA-q4q8-7f2j-9h9f.json b/advisories/github-reviewed/2026/03/GHSA-q4q8-7f2j-9h9f/GHSA-q4q8-7f2j-9h9f.json
@@ -0,0 +1,65 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-q4q8-7f2j-9h9f",
+  "modified": "2026-03-27T17:22:32Z",
+  "published": "2026-03-27T17:22:32Z",
+  "aliases": [
+    "CVE-2026-33945"
+  ],
+  "summary": "Incus has an abitrary file write through its systemd-creds options",
+  "details": "### Summary\nIncus instances have an option to provide credentials to systemd in the guest. For containers, this is handled through a shared directory.\nAn attacker can use the name of a systemd credential to escape that directory and overwrite arbitrary files on the host system.\n\nThis can in turn be used to perform local privilege escalation or cause a DoS.\n\n### Details\nAn attacker can set a configuration key named something like `systemd.credential.../../../../../../root/.bashrc` to cause Incus to write outside of the `credentials` directory associated with the container. This makes use of the fact that the Incus syntax for such credentials is `systemd.credential.XYZ` where `XYZ` can itself contain more periods.\n\nWhile it's not possible to read any data this way, it's possible to write to arbitrary files as root, enabling both privilege escalation and denial of service attacks.\n\n### Credit\nThis issue was discovered and reported by the team at [7asecurity](https://7asecurity.com/)",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/lxc/incus/v6"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "6.23.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/lxc/incus/security/advisories/GHSA-q4q8-7f2j-9h9f"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33945"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/lxc/incus/commit/f74199f9983e2ce78f2b78b6d765c6635b229c82"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/lxc/incus"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-22"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-27T17:22:32Z",
+    "nvd_published_at": "2026-03-27T00:16:23Z"
+  }
+}
