Improper Authorization in Canonical LXD on Linux Affects User Security
CVE-2026-3351

2.1LOW

Key Information:

Vendor

Canonical

Status
Lxd
Vendor
CVE Published:
3 March 2026

What is CVE-2026-3351?

An improper authorization vulnerability exists within the API endpoint GET /1.0/certificates in Canonical LXD 6.6 on Linux. This flaw allows an authenticated but restricted user to enumerate all certificate fingerprints that the LXD server trusts. Such unauthorized access may lead to exposure of sensitive information and enhance the risk of further attacks. It is crucial for users of Canonical LXD to assess their security posture and implement any necessary updates or mitigations to protect their systems.

Affected Version(s)

lxd Linux 6.6

References

https://github.com/canonical/lxd/security/advisories/GHSA...
vdb-entryvendor-advisory
https://github.com/canonical/lxd/pull/17738
patchissue-tracking
https://github.com/canonical/lxd/commit/d936c90d47cf0be1e...
patch

CVSS V4

Score:
2.1
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.