Directory Traversal and Arbitrary File Access in Incus System Container Manager
CVE-2026-23954

8.7HIGH

Key Information:

Vendor

Lxc

Status
Incus
Vendor
CVE Published:
22 January 2026

What is CVE-2026-23954?

The Incus system container and virtual machine manager is at risk due to a vulnerability that allows users with permissions to launch containers using custom images to exploit directory traversal or symbolic links. The issue arises from insufficient checks on paths when processing templates with metadata.yaml files, enabling potential unauthorized access to host files as well as arbitrary command execution on the host system. A patch has been announced for future releases, but has not yet been implemented in the current versions.

Affected Version(s)

incus >= 6.1.0, <= 6.20.0 <= 6.1.0, 6.20.0

incus <= 6.0.5 <= 6.0.5

References

https://github.com/lxc/incus/security/advisories/GHSA-7f6...
x_refsource_CONFIRM
https://github.com/lxc/incus/blob/HEAD/internal/server/in...
x_refsource_MISC
https://github.com/lxc/incus/blob/HEAD/internal/server/in...
x_refsource_MISC

CVSS V3.1

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.