Incus patches template sandbox bypass enabling host root read/write
TL;DR — Incus instance templates can escape their intended filesystem isolation, enabling low-privileged users to read/write arbitrary host files as root (critical host compromise).
What happened
Incus is a system container and virtual machine manager (a community fork of LXD) with a REST API for managing instances on single hosts or clusters.
CVE-2026-33897 reports that instance template files (implemented using pongo2) can be abused to perform arbitrary file reads and writes as root on the host server. The issue stems from a broken assumption: templates were expected to be constrained by pongo2's chroot isolation to the instance filesystem, but the CVE states that the chroot isolation mechanism is entirely skipped, making host filesystem access “easy” with root privileges.
This is an S-tier pattern for multi-tenant container platforms: “template/sandbox escape” vulnerabilities often collapse the intended trust boundary between an instance tenant and the host, turning a normal automation feature into a host takeover primitive.
Who is impacted
- Incus deployments prior to
6.23.0. - Environments where untrusted or semi-trusted users can create or influence instance templates (directly or indirectly through profiles/instance configuration via the API).
- The CVE’s CVSS vector indicates Network attack vector and Low privileges required (i.e., not purely “local-only”).
| Component | Affected versions (per CVE record) | Patched versions (per CVE record) |
|---|---|---|
incus | < 6.23.0 | 6.23.0 |
What to do now
- Follow vendor remediation guidance and apply the latest patched release available at the time of writing.
"Version 6.23.0 patches the issue."
- Treat any ability for tenants/users to define template content as high risk until patched: review which roles and automation systems can set or modify instance templates.
- If you suspect exposure, prioritize host-level incident triage (this class of issue implies host file read/write as root): scope which secrets, keys, and service credentials may have been reachable from the Incus host filesystem and rotate accordingly.
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.