High severityNVD Advisory· Published Oct 2, 2025· Updated Feb 26, 2026

CSRF Vulnerability When Using Client Certificate Authentication with the LXD-UI

CVE-2025-54286

Description

Cross-Site Request Forgery (CSRF) in LXD-UI in Canonical LXD versions >= 5.0 on Linux allows an attacker to create and start container instances without user consent via crafted HTML form submissions exploiting client certificate authentication.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/canonical/lxdGo	>= 5.0, < 5.0.5	5.0.5
github.com/canonical/lxdGo	>= 5.1, < 5.21.4	5.21.4
github.com/canonical/lxdGo	>= 6.0, < 6.5	6.5
github.com/canonical/lxdGo	>= 0.0.0-20220401034332-1e1349e3cbf3, < 0.0.0-20250827065555-0494f5d47e41	0.0.0-20250827065555-0494f5d47e41

Affected products

Canonical (company)/Lxdv5
Range: 5.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-p8hw-rfjg-689hghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-54286ghsaADVISORY
github.com/canonical/lxd/security/advisories/GHSA-p8hw-rfjg-689hghsaWEB
pkg.go.dev/vuln/GO-2025-4003ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000