Incus is a system container and virtual machine manager that includes a local web server component launched by the `incus webui` command. This web server runs on a random localhost port and uses an authentication token embedded in a URL to grant access. When a user accesses the URL with the token, Incus sets a cookie to persist authentication for subsequent requests. However, prior to version 6.23.0, the web server incorrectly validates the token when it is passed in the URL, accepting invalid tokens. While the client correctly validates tokens stored in cookies, the initial URL token validation is flawed. This improper authentication (CWE-287) allows an attacker who can communicate with the local web server—either a local user or a remote attacker who can trick a user into accessing a malicious URL—to gain the same access rights as the legitimate user running Incus. This can lead to privilege escalation on the host system or unauthorized access to container and VM instances managed by Incus. The vulnerability has a CVSS 3.1 score of 8.8, reflecting its high impact on confidentiality, integrity, and availability, with no privileges or authentication required but user interaction needed. The issue is resolved in version 6.23.0 of Incus.

This vulnerability poses a significant risk to organizations using Incus for container and VM management. An attacker with local access or the ability to trick a user into interacting with the local web server can escalate privileges to that of the Incus user, potentially gaining control over container instances and underlying system resources. This could lead to data breaches, unauthorized system modifications, and disruption of containerized services. The impact extends to environments where Incus is used for multi-tenant or sensitive workloads, increasing the risk of lateral movement and persistent compromise. Since the web server runs locally on random ports, remote exploitation requires social engineering or local network access, but the high severity score reflects the broad impact if exploited. Organizations relying on Incus for virtualization and container orchestration must consider this a critical security issue.

The primary mitigation is to upgrade Incus to version 6.23.0 or later, where the authentication token validation flaw is fixed. Until upgrading, organizations should restrict access to localhost ports used by `incus webui` to trusted users only, using local firewall rules or network policies to prevent unauthorized local or remote access. Users should be educated to avoid clicking on suspicious URLs that could lead to interaction with the Incus web UI. Additionally, monitoring local network traffic and system logs for unusual access patterns to the Incus web server can help detect exploitation attempts. Implementing strict user privilege separation and minimizing the number of users who can run `incus webui` reduces the attack surface. Finally, consider isolating the management interface in secure environments or using alternative management tools that do not expose local web servers.