Blind SSRF Vulnerability in Incus Container Manager
CVE-2026-35527

5.3MEDIUM

Key Information:

Vendor: Lxc
Status: Incus
Vendor: CVE Published:; 5 May 2026

What is CVE-2026-35527?

Incus, an open source container and virtual machine manager, is susceptible to a blind Server-Side Request Forgery (SSRF) vulnerability in versions prior to 7.0.0. The issue arises during the image import process where a HEAD request is sent to a user-defined URL without adequate validation against project restrictions. This occurs before rejection by the import policy, allowing authenticated users to manipulate the server into sending requests to arbitrary addresses. This can lead to leakage of sensitive server metadata via custom headers, exposing crucial information about the host environment to potentially malicious endpoints. Although the actual image download is prevented by policy settings, the implications of this SSRF vulnerability can be significant, enabling attackers to discover internal services and vulnerable cloud metadata endpoints.

Affected Version(s)

incus < 7.0.0

References

https://github.com/lxc/incus/security/advisories/GHSA-8gw...

x_refsource_CONFIRM

https://github.com/lxc/incus/blob/v6.22.0/cmd/incusd/imag...

x_refsource_MISC

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 5, 2026
Vulnerability Reserved
Apr 3, 2026

CVE-2026-35527 Data

JSON

Lxc

What is CVE-2026-35527?

Affected Version(s)

References

CVSS V4

Timeline