CVE-2026-48753: Incus S3 Multipart Upload Path Traversal Arbitrary File Write
Detects exploitation of CVE-2026-48753, a critical path traversal vulnerability (CVSS 9.9) in Incus (github.com/lxc/incus/v7/cmd/incusd) versions prior to 7.1.0. An attacker can write arbitrary files on the host by crafting malicious S3 multipart upload requests containing path traversal sequences in the object key, potentially leading to container escape, privilege escalation, or persistent backdoor installation.
Vulnerability Intelligence
Public PoCAffected Software
- Vendor
- go
- Product
- github.com/lxc/incus/v7/cmd/incusd
- Versions
- < 7.1.0
Weakness (CWE)
Timeline
- Disclosed
- June 26, 2026
What is CVE-2026-48753 CVE-2026-48753: Incus S3 Multipart Upload Path Traversal Arbitrary File Write?
CVE-2026-48753: Incus S3 Multipart Upload Path Traversal Arbitrary File Write (CVE-2026-48753) maps to the Initial Access and Persistence and Privilege Escalation and Lateral Movement tactics — the adversary is trying to get into your network in MITRE ATT&CK.
This page provides production-ready detection logic for CVE-2026-48753: Incus S3 Multipart Upload Path Traversal Arbitrary File Write, covering the data sources and telemetry it touches: DeviceFileEvents, DeviceNetworkEvents, Syslog. The queries below are rated critical severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
let TraversalPatterns = dynamic(['../', '..\\', '%2e%2e%2f', '%2e%2e/', '..%2f', '%2e%2e%5c']);
union
(
DeviceFileEvents
| where TimeGenerated > ago(24h)
| where InitiatingProcessFileName in~ ('incusd', 'incus')
| where FolderPath !startswith '/var/lib/incus/storage-pools/'
and FolderPath !startswith '/var/lib/incus/containers/'
| where ActionType in ('FileCreated', 'FileModified')
| project TimeGenerated, DeviceName, FolderPath, FileName, InitiatingProcessCommandLine, InitiatingProcessAccountName
| extend AlertReason = 'Incus process wrote file outside expected storage paths'
),
(
DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where InitiatingProcessFileName in~ ('incusd')
| where RemotePort in (443, 9000, 9001)
| extend RequestDetails = tostring(AdditionalFields)
| where RequestDetails has_any (TraversalPatterns)
| project TimeGenerated, DeviceName, RemoteIP, RemotePort, InitiatingProcessCommandLine, RequestDetails
| extend AlertReason = 'Incus S3 request contains path traversal sequence'
),
(
Syslog
| where TimeGenerated > ago(24h)
| where ProcessName == 'incusd'
| where SyslogMessage has_any (TraversalPatterns)
or SyslogMessage has 'multipart'
| where SyslogMessage has_any (TraversalPatterns)
| project TimeGenerated, HostName, ProcessName, SyslogMessage
| extend AlertReason = 'Incus daemon log contains path traversal in S3 multipart context'
)
| summarize count() by AlertReason, DeviceName, bin(TimeGenerated, 5m)
| where count_ > 0Detects CVE-2026-48753 exploitation via three correlated signals: Incus writing files outside expected storage paths, S3 network requests with traversal sequences, and syslog entries with traversal patterns in multipart upload context.
Data Sources
Required Tables
False Positives
- Legitimate Incus backup operations writing to non-default storage pool paths
- Custom Incus storage pool configurations using non-standard directories
- Security scanners testing the S3 endpoint with benign traversal patterns
- Storage migration tasks moving data between pools during maintenance windows
Sigma rule & cross-platform mapping
The detection logic for CVE-2026-48753: Incus S3 Multipart Upload Path Traversal Arbitrary File Write (CVE-2026-48753) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: network_connection
product: windowsBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2026-48753
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CVE-2026-48753 PoC: Path Traversal via S3 Multipart Upload Initiation
Expected signal: Network log showing PUT/POST request to Incus S3 endpoint with URL-encoded path traversal sequence in the request URI; incusd process log entries showing the malformed object key
- Test 2CVE-2026-48753 Simulation: Anomalous File Write by Incusd Process
Expected signal: Linux audit log (auditd) syscall record showing openat/write to /etc/cron.d/ by process running as root; osquery file_events showing new file creation at sensitive path; EDR file creation alert for /etc/cron.d/
- Test 3CVE-2026-48753 Detection Validation: Incusd Version Audit
Expected signal: Process execution telemetry showing incus binary invoked with --version flag; no file modifications or network connections generated
- Test 4CVE-2026-48753 S3 Multipart Upload with Double-Encoded Traversal
Expected signal: Network request logs showing PUT to Incus S3 endpoint with %252e%252e and %2e%2e encoded sequences; incusd application logs recording the object key with encoded traversal characters before server-side decoding
Unlock Pro Content
Get the full detection package for CVE-2026-48753 including response playbook, investigation guide, and atomic red team tests.