CVE-2026-33898: Local Incus UI web server vulnerable to nuthentication bypass

March 27, 2026

The web server spawned by incus webui incorrectly validates the authentication token such that an invalid value will be accepted.

References

github.com/advisories/GHSA-453r-g2pg-cxxq
github.com/lxc/incus
github.com/lxc/incus/commit/d81d49e746e15dad35de39dc0ace0cedfba7d2f7
github.com/lxc/incus/releases/tag/v6.23.0
github.com/lxc/incus/security/advisories/GHSA-453r-g2pg-cxxq
nvd.nist.gov/vuln/detail/CVE-2026-33898

Code Behaviors & Features

Detect and mitigate CVE-2026-33898 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →