Github.Com Canonical Lxd vulnerabilities

CVE-2026-34177 [CRITICAL] CWE-184 LXD: VM lowlevel restriction bypass via raw.apparmor and raw.qemu.conf LXD: VM lowlevel restriction bypass via raw.apparmor and raw.qemu.conf ## Summary The `isVMLowLevelOptionForbidden` function in `lxd/project/limits/permissions.go` is missing `raw.apparmor` and `raw.qemu.conf` from its hardcoded forbidden list. A user with `can_edit` permission on a VM instance in a restricted project can combine these two omissions to bridge the LXD unix socket into the gu

CVE-2026-34178 [CRITICAL] CWE-20 LXD: Importing a crafted backup leads to project restriction bypass LXD: Importing a crafted backup leads to project restriction bypass ## Summary LXD instance backup import validates project restrictions against `backup/index.yaml` embedded in the tar archive, but creates the actual instance from `backup/container/backup.yaml` extracted to the storage volume. Because these are separate, independently attacker-controlled files within the same tar archive, an at

CVE-2026-34179 [CRITICAL] CWE-915 LXD: Update of type field in restricted TLS certificate allows privilege escalation to cluster admin LXD: Update of type field in restricted TLS certificate allows privilege escalation to cluster admin ### Summary A restricted TLS certificate user can escalate to cluster admin by changing their certificate type from `client` to `server` via PUT/PATCH to `/1.0/certificates/{fingerprint}`. The non-admin guard and reset block in `doCertificateUpdate` fail to vali

CVE-2026-3351 [MEDIUM] CWE-862 lxd's non-recursive certificate listing bypasses per-object authorization and leaks all fingerprints lxd's non-recursive certificate listing bypasses per-object authorization and leaks all fingerprints ## Summary The `GET /1.0/certificates` endpoint (non-recursive mode) returns URLs containing fingerprints for all certificates in the trust store, bypassing the per-object `can_view` authorization check that is correctly applied in the recursive path. Any authentica

CVE-2025-54289 [HIGH] CWE-1385 Canonical LXD Vulnerable to Privilege Escalation via WebSocket Connection Hijacking in Operations API Canonical LXD Vulnerable to Privilege Escalation via WebSocket Connection Hijacking in Operations API ### Impact LXD's operations API includes secret values necessary for WebSocket connections when retrieving information about running operations. These secret values are used for authentication of WebSocket connections for terminal and console sessions. Therefore,

CVE-2025-54286 [HIGH] CWE-352 Canonical LXD CSRF Vulnerability When Using Client Certificate Authentication with the LXD-UI Canonical LXD CSRF Vulnerability When Using Client Certificate Authentication with the LXD-UI ### Description OIDC authentication uses cookies with the SameSite=Strict attribute, preventing cookies from being sent with requests from other sites. Therefore, CSRF does not occur as long as web services in a Same Site relationship (same eTLD+1) with the origin running LXD-UI a

CVE-2025-54293 [HIGH] CWE-22 Canonical LXD Path Traversal Vulnerability in Instance Log File Retrieval Function Canonical LXD Path Traversal Vulnerability in Instance Log File Retrieval Function ### Impact Although outside the scope of this penetration test, a path traversal vulnerability exists in the validLogFileName function that validates log file names in lxd/instance_logs.go in the LXD 5.0 LTS series. This vulnerability was fixed in PR #15022 in February 2025, and is fixed in at least LX

CVE-2025-54291 [MEDIUM] CWE-209 Canonical LXD Project Existence Determination Through Error Handling in Image Get Function Canonical LXD Project Existence Determination Through Error Handling in Image Get Function ### Impact The LXD /1.0/images endpoint is implemented as an AllowUntrusted API that requires no authentication, making it accessible to users without accounts. This API allows determining project existence through differences in HTTP status codes when accessed with the project parame

CVE-2025-54288 [MEDIUM] CWE-290 Canonical LXD Source Container Identification Vulnerability via cmdline Spoofing in devLXD Server Canonical LXD Source Container Identification Vulnerability via cmdline Spoofing in devLXD Server ### Impact In LXD's devLXD server, the source container identification process uses process cmdline (command line) information, allowing attackers to impersonate other containers by spoofing process names. The core issue lies in the findContainerForPID function in `lxd/

CVE-2025-54290 [MEDIUM] CWE-200 Canonical LXD Project Existence Determination Through Error Handling in Image Export Function Canonical LXD Project Existence Determination Through Error Handling in Image Export Function ### Impact In LXD's images export API (`/1.0/images/{fingerprint}/export`), implementation differences in error handling allow determining project existence without authentication. Specifically, in the following code, errors when multiple images match are directly returned to u

CVE-2024-6156 [LOW] CWE-295 lxd CA certificate sign check bypass lxd CA certificate sign check bypass ### Summary If a `server.ca` file is present in `LXD_DIR` at LXD start up, LXD is in "PKI mode". In this mode, only TLS clients that have a CA-signed certificate should be able to authenticate with LXD. We have discovered that if a client that sends a non-CA signed certificate during the TLS handshake, that client is able to authenticate with LXD if their certificate is present in the trust st

CVE-2024-6219 [LOW] CWE-287 lxd has a restricted TLS certificate privilege escalation when in PKI mode lxd has a restricted TLS certificate privilege escalation when in PKI mode ### Summary If a `server.ca` file is present in `LXD_DIR` at LXD start up, LXD is in "PKI mode". In this mode, all clients must have certificates that have been signed by the CA. The LXD configuration option `core.trust_ca_certificates` defaults to `false`. This means that although the client certificate has been signe