Moderate severityNVD Advisory· Published Mar 3, 2026· Updated Mar 5, 2026
Authorization Bypass in LXD GET /1.0/certificates Endpoint
CVE-2026-3351
Description
Improper authorization in the API endpoint GET /1.0/certificates in Canonical LXD 6.6 on Linux allows an authenticated, restricted user to enumerate all certificate fingerprints trusted by the lxd server.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/canonical/lxdGo | < 0.0.0-20260224152359-d936c90d47cf | 0.0.0-20260224152359-d936c90d47cf |
Affected products
1- Range: 6.6
Patches
1d936c90d47cflxd/certificates: Return only allowed certificates in non-recursive list (#17738)
1 file changed · +5 −9
lxd/certificates.go+5 −9 modified@@ -151,10 +151,10 @@ func certificatesGet(d *Daemon, r *http.Request) response.Response { } var certResponses []*api.Certificate - var baseCerts []dbCluster.Certificate + var certURLs []string urlToCertificate := make(map[*api.URL]auth.EntitlementReporter) err = d.State().DB.Cluster.Transaction(r.Context(), func(ctx context.Context, tx *db.ClusterTx) error { - baseCerts, err = dbCluster.GetCertificates(ctx, tx.Tx()) + baseCerts, err := dbCluster.GetCertificates(ctx, tx.Tx()) if err != nil { return err } @@ -173,6 +173,8 @@ func certificatesGet(d *Daemon, r *http.Request) response.Response { certResponses = append(certResponses, apiCert) urlToCertificate[entity.CertificateURL(apiCert.Fingerprint)] = apiCert + } else { + certURLs = append(certURLs, api.NewURL().Path(version.APIVersion, "certificates", baseCert.Fingerprint).String()) } } @@ -183,13 +185,7 @@ func certificatesGet(d *Daemon, r *http.Request) response.Response { } if !recursion { - body := []string{} - for _, baseCert := range baseCerts { - certificateURL := api.NewURL().Path(version.APIVersion, "certificates", baseCert.Fingerprint).String() - body = append(body, certificateURL) - } - - return response.SyncResponse(true, body) + return response.SyncResponse(true, certURLs) } if len(withEntitlements) > 0 {
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/canonical/lxd/commit/d936c90d47cf0be1e9757df897f769e9887ebde1ghsapatchWEB
- github.com/canonical/lxd/pull/17738ghsapatchissue-trackingWEB
- github.com/advisories/GHSA-crmg-9m86-636rghsaADVISORY
- github.com/canonical/lxd/security/advisories/GHSA-crmg-9m86-636rghsavdb-entryvendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-3351ghsaADVISORY
News mentions
0No linked articles in our index yet.