Moderate severityNVD Advisory· Published Mar 3, 2026· Updated Mar 5, 2026
Authorization Bypass in LXD GET /1.0/certificates Endpoint
CVE-2026-3351
Description
Improper authorization in the API endpoint GET /1.0/certificates in Canonical LXD 6.6 on Linux allows an authenticated, restricted user to enumerate all certificate fingerprints trusted by the lxd server.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/canonical/lxdGo | < 0.0.0-20260224152359-d936c90d47cf | 0.0.0-20260224152359-d936c90d47cf |
Affected products
3- ghsa-coords2 versionspkg:golang/github.com/canonical/lxdpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
< 0.0.0-20260224152359-d936c90d47cf+ 1 more
- (no CPE)range: < 0.0.0-20260224152359-d936c90d47cf
- (no CPE)range: < 0.0.20260317T205859-150000.1.152.1
Patches
Vulnerability mechanics
References
5- github.com/canonical/lxd/commit/d936c90d47cf0be1e9757df897f769e9887ebde1ghsapatchWEB
- github.com/canonical/lxd/pull/17738ghsapatchissue-trackingWEB
- github.com/advisories/GHSA-crmg-9m86-636rghsaADVISORY
- github.com/canonical/lxd/security/advisories/GHSA-crmg-9m86-636rghsavdb-entryvendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-3351ghsaADVISORY
News mentions
0No linked articles in our index yet.