Project Restriction Bypass in Canonical LXD Software
CVE-2026-34178

9.1CRITICAL

Key Information:

Vendor: Canonical
Status: Lxd
Vendor: CVE Published:; 9 April 2026

What is CVE-2026-34178?

In versions of Canonical LXD prior to 6.8, a flaw exists in the backup import process that fails to properly validate critical project restrictions. This vulnerability allows an authenticated remote attacker with permission to create instances within a restricted project to leverage a crafted backup archive. The backup.yaml file, which is responsible for configuring the instance, is not subjected to the same validation as the index.yaml file. This oversight can enable the attacker to impose unauthorized configurations such as security.privileged=true or raw.lxc directives, effectively bypassing all project restrictions and potentially leading to a full compromise of the host system.

Affected Version(s)

lxd Linux 4.12.0 < 5.0.7

lxd Linux 5.1.0 < 5.21.5

lxd Linux 6.0.0 < 6.8.0

References

https://github.com/canonical/lxd/security/advisories/GHSA...

vdb-entryvendor-advisory

https://github.com/canonical/lxd/pull/17921

patchissue-tracking

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 9, 2026
Vulnerability Reserved
Mar 26, 2026

Credit

Miha Purg

CVE-2026-34178 Data

JSON