SB2026041601 - Debian update for incus
Published: April 16, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Improper access control (CVE-ID: CVE-2026-34178)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to bypass project restrictions and gain full host compromise.
The vulnerability exists due to improper access control in the LXD backup import process when importing a crafted instance backup archive. A remote privileged user can supply inconsistent backup/index.yaml and backup/container/backup.yaml files to bypass project restrictions and gain full host compromise.
Exploitation requires instance creation and operation permissions in a restricted project.
2) Improper access control (CVE-ID: CVE-2026-34179)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to escalate privileges to cluster admin.
The vulnerability exists due to improper access control in the doCertificateUpdate handler for the /1.0/certificates/{fingerprint} endpoint when processing PUT or PATCH requests that update TLS certificate records. A remote privileged user can send a crafted request to change the certificate type from client to server and escalate privileges to cluster admin.
The issue affects deployments using legacy restricted TLS certificates through the /1.0/certificates API, and the privilege change takes effect after the identity cache refresh.
Remediation
Install update from vendor's website.