{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33897", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-24T15:41:47.490Z", "datePublished": "2026-03-26T22:43:31.392Z", "dateUpdated": "2026-03-26T22:43:31.392Z"}, "containers": {"cna": {"title": "Incus vulnerable to arbitrary file read and write through pongo templates", "problemTypes": [{"descriptions": [{"cweId": "CWE-1336", "lang": "en", "description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/lxc/incus/security/advisories/GHSA-83xr-5xxr-mh92", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/lxc/incus/security/advisories/GHSA-83xr-5xxr-mh92"}], "affected": [{"vendor": "lxc", "product": "incus", "versions": [{"version": "< 6.23.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T22:43:31.392Z"}, "descriptions": [{"lang": "en", "value": "Incus is a system container and virtual machine manager. Prior to version 6.23.0, instance template files can be used to cause arbitrary read or writes as root on the host server. Incus allows for pongo2 templates within instances which can be used at various times in the instance lifecycle to template files inside of the instance. This particular implementation of pongo2 within Incus allowed for file read/write but with the expectation that the pongo2 chroot feature would isolate all such access to the instance's filesystem. This was allowed such that a template could theoretically read a file and then generate a new version of said file. Unfortunately the chroot isolation mechanism is entirely skipped by pongo2 leading to easy access to the entire system's filesystem with root privileges. Version 6.23.0 patches the issue."}], "source": {"advisory": "GHSA-83xr-5xxr-mh92", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Incus is a system container and virtual machine manager. Prior to version 6.23.0, instance template files can be used to cause arbitrary read or writes as root on the host server. Incus allows for pongo2 templates within instances which can be used at various times in the instance lifecycle to template files inside of the instance. This particular implementation of pongo2 within Incus allowed for file read/write but with the expectation that the pongo2 chroot feature would isolate all such access to the instance's filesystem. This was allowed such that a template could theoretically read a file and then generate a new version of said file. Unfortunately the chroot isolation mechanism is entirely skipped by pongo2 leading to easy access to the entire system's filesystem with root privileges. Version 6.23.0 patches the issue."}], "id": "CVE-2026-33897", "lastModified": "2026-03-26T23:16:20.743", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-26T23:16:20.743", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/lxc/incus/security/advisories/GHSA-83xr-5xxr-mh92"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1336"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "incus: pongo2: Incus: Arbitrary file read/write as root via pongo2 template chroot bypass", "id": "2452020", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452020"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L", "status": "draft"}, "cwe": "CWE-243", "details": ["A flaw was found in Incus, a system container and virtual machine manager. An attacker with control over instance template files can exploit a vulnerability in the pongo2 templating engine. This flaw allows for arbitrary read or write operations as the root user on the host server by bypassing the intended chroot isolation mechanism. This can lead to unauthorized access and modification of critical system files."], "name": "CVE-2026-33897", "public_date": "2026-03-26T22:43:31Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33897\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33897\nhttps://github.com/lxc/incus/security/advisories/GHSA-83xr-5xxr-mh92"], "statement": "This Important flaw in Incus, a system container and virtual machine manager, allows an attacker with control over instance template files to bypass chroot isolation. This enables arbitrary file read or write operations as the root user on the host server. This vulnerability affects Incus, which is available as a community project.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.23.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "incus", "source": "cna", "vendor": "lxc"}, "product": "incus", "vendor": "lxc"}], "analysis": {"en": {"generated_at": "2026-03-27T06:37:45.520243+00:00", "value": {"mitigation_remediation": ["Upgrade Incus to version 6.23.0 or newer to apply the vendor patch that removes the unsafe pongo2 template handling."], "summary": {"action": "Immediate Patch", "impact": "Root-level arbitrary file read/write on host"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Incus product under the lxc:incus vendor. All versions prior to 6.23.0 are impacted because the patch that disables unsafe template handling was introduced in that release.", "description_and_impact": "Incus, a system container and virtual machine manager, contains a flaw in its handling of pongo2 templates. The implementation of pongo2 allows arbitrary file reads and writes with root privileges, bypassing the intended chroot isolation. This leads to the possibility of reading any file on the host or overwriting files, including critical system binaries and configuration files, thereby compromising confidentiality, integrity, and availability of the entire system.", "risk_and_exploitability": "The CVSS score of 10 indicates a severe threat. Although the EPSS score is not reported, the lack of a KEV listing does not reduce the risk because the flaw allows unrestricted root-level access to the file system. The attack vector is inferred to require authenticated access to the instance template functionality or a local foothold; an attacker can create or manipulate templates to gain direct root access to the host. This makes exploitation highly dangerous and likely if the vulnerability is present and the attacker has sufficient privileges or anonymity in the environment."}}}}, "created": "2026-03-27T08:31:28.481030+00:00", "updated": "2026-03-27T09:22:52.326985+00:00", "vendors": ["lxc", "lxc$PRODUCT$incus"]}