PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-51082 Proxmox CVE debrief

CVE-2026-51082 is a race condition vulnerability between the vncproxy and vncwebsocket API calls in Proxmox Virtual Environment (PVE) 9.x pve-manager 9.1.x before 9.1.9 and 8.4.x before 8.4.19; qemu-server 9.1.x before 9.1.7 and 8.4.x before 8.4.7; and pve-container 6.1.x before 6.1.3 and 5.3.x before 5.3.4. An attacker with privileges to call 'vncproxy' can hijack a VNC session established in parallel by a different user for a different VM.

Vendor
Proxmox
Product
Proxmox Virtual Environment
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-17
Original CVE updated
2026-07-17
Advisory published
2026-07-17
Advisory updated
2026-07-17

Who should care

Users of Proxmox Virtual Environment (PVE) 9.x, specifically those using pve-manager 9.1.x before 9.1.9 and 8.4.x before 8.4.19; qemu-server 9.1.x before 9.1.7 and 8.4.x before 8.4.7; and pve-container 6.1.x before 6.1.3 and 5.3.x before 5.3.4, should be aware of this vulnerability and take necessary actions to mitigate it.

Technical summary

A race condition exists between the vncproxy and vncwebsocket API calls in Proxmox Virtual Environment (PVE). This vulnerability allows an attacker with privileges to call 'vncproxy' to hijack a VNC session that is established in parallel by a different user for a different VM. The affected products and versions are PVE 9.x pve-manager 9.1.x before 9.1.9 and 8.4.x before 8.4.19; qemu-server 9.1.x before 9.1.7 and 8.4.x before 8.4.7; and pve-container 6.1.x before 6.1.3 and 5.3.x before 5.3.4.

Defensive priority

High

Recommended defensive actions

  • Update pve-manager to version 9.1.9 or later for PVE 9.x, and to version 8.4.19 or later for PVE 8.4.x.
  • Update qemu-server to version 9.1.7 or later for PVE 9.x, and to version 8.4.7 or later for PVE 8.4.x.
  • Update pve-container to version 6.1.3 or later for PVE 6.1.x, and to version 5.3.4 or later for PVE 5.3.x.
  • Restrict access to the vncproxy API call to only those who need it.
  • Monitor VNC sessions for suspicious activity.

Evidence notes

The CVE record was published on 2026-07-17T15:16:46.867Z and has not been modified since then. The NVD entry is currently 'Received'. Evidence is limited; defenders should verify affected product deployments exist in managed environments and review official advisories for scope, severity, and guidance. Confirm compensating controls are in place for exposed systems and monitor for suspicious VNC session activity. Check relevant logs for exposed assets needing extra review.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T15:16:46.867Z and has not been modified since then. The NVD entry is currently Received.