Go modules package
github.com/canonical/lxd
pkg:golang/github.com/canonical/lxd
Vulnerabilities (12)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-34179 | Cri | 9.1 | >= 0.0.0-20210305023314-538ac3df036e, <= 0.0.0-20260226085519-736f34afb267 | — | Apr 9, 2026 | In Canonical LXD versions 4.12 through 6.7, the doCertificateUpdate function in lxd/certificates.go does not validate the Type field when handling PUT/PATCH requests to /1.0/certificates/{fingerprint} for restricted TLS certificate users, allowing a remote authenticated attacker | |
| CVE-2026-34178 | Cri | 9.1 | >= 0.0.0-20210305023314-538ac3df036e, <= 0.0.0-20260226085519-736f34afb267 | — | Apr 9, 2026 | In Canonical LXD before 6.8, the backup import path validates project restrictions against backup/index.yaml in the supplied tar archive but creates the instance from backup/container/backup.yaml, a separate file in the same archive that is never checked against project restricti | |
| CVE-2026-34177 | Cri | 9.1 | >= 0.0.0-20210305023314-538ac3df036e, <= 0.0.0-20260226085519-736f34afb267 | — | Apr 9, 2026 | Canonical LXD versions 4.12 through 6.7 contain an incomplete denylist in isVMLowLevelOptionForbidden (lxd/project/limits/permissions.go), which omits raw.apparmor and raw.qemu.conf from the set of keys blocked under the restricted.virtual-machines.lowlevel=block project restrict | |
| CVE-2026-3351 | — | < 0.0.0-20260224152359-d936c90d47cf | 0.0.0-20260224152359-d936c90d47cf | Mar 3, 2026 | Improper authorization in the API endpoint GET /1.0/certificates in Canonical LXD 6.6 on Linux allows an authenticated, restricted user to enumerate all certificate fingerprints trusted by the lxd server. | ||
| CVE-2025-54293 | — | >= 4.0, < 5.21.4 | 5.21.4 | Oct 2, 2025 | Path Traversal in the log file retrieval function in Canonical LXD 5.0 LTS on Linux allows authenticated remote attackers to read arbitrary files on the host system via crafted log file names or symbolic links. | ||
| CVE-2025-54291 | — | >= 4.0, < 5.21.4 | 5.21.4 | Oct 2, 2025 | Information disclosure in images API in Canonical LXD before 6.5 and 5.21.4 on all platforms allows unauthenticated remote attackers to determine project existence via differing HTTP status code responses. | ||
| CVE-2025-54290 | — | >= 4.0, < 5.21.4 | 5.21.4 | Oct 2, 2025 | Information disclosure in image export API in Canonical LXD before 6.5 and 5.21.4 on Linux allows network attackers to determine project existence without authentication via crafted requests using wildcard fingerprints. | ||
| CVE-2025-54289 | — | >= 4.0, < 5.21.4 | 5.21.4 | Oct 2, 2025 | Privilege Escalation in operations API in Canonical LXD <6.5 on multiple platforms allows attacker with read permissions to hijack terminal or console sessions and execute arbitrary commands via WebSocket connection hijacking format | ||
| CVE-2025-54288 | — | >= 4.0, < 5.21.4 | 5.21.4 | Oct 2, 2025 | Information Spoofing in devLXD Server in Canonical LXD versions 4.0 and above on Linux container platforms allows attackers with root privileges within any container to impersonate other containers and obtain their metadata, configuration, and device information via spoofed proce | ||
| CVE-2025-54286 | — | >= 5.0, < 5.0.5 | 5.0.5 | Oct 2, 2025 | Cross-Site Request Forgery (CSRF) in LXD-UI in Canonical LXD versions >= 5.0 on Linux allows an attacker to create and start container instances without user consent via crafted HTML form submissions exploiting client certificate authentication. | ||
| CVE-2024-6219 | — | < 0.0.0-20240403103450-0e7f2b5bf4d2 | 0.0.0-20240403103450-0e7f2b5bf4d2 | Dec 5, 2024 | Mark Laing discovered in LXD's PKI mode, until version 5.21.1, that a restricted certificate could be added to the trust store with its restrictions not honoured. | ||
| CVE-2024-6156 | — | < 0.0.0-20240708073652-5a492a3f0036 | 0.0.0-20240708073652-5a492a3f0036 | Dec 5, 2024 | Mark Laing discovered that LXD's PKI mode, until version 5.21.2, could be bypassed if the client's certificate was present in the trust store. |
- affected >= 0.0.0-20210305023314-538ac3df036e, <= 0.0.0-20260226085519-736f34afb267
In Canonical LXD versions 4.12 through 6.7, the doCertificateUpdate function in lxd/certificates.go does not validate the Type field when handling PUT/PATCH requests to /1.0/certificates/{fingerprint} for restricted TLS certificate users, allowing a remote authenticated attacker
- affected >= 0.0.0-20210305023314-538ac3df036e, <= 0.0.0-20260226085519-736f34afb267
In Canonical LXD before 6.8, the backup import path validates project restrictions against backup/index.yaml in the supplied tar archive but creates the instance from backup/container/backup.yaml, a separate file in the same archive that is never checked against project restricti
- affected >= 0.0.0-20210305023314-538ac3df036e, <= 0.0.0-20260226085519-736f34afb267
Canonical LXD versions 4.12 through 6.7 contain an incomplete denylist in isVMLowLevelOptionForbidden (lxd/project/limits/permissions.go), which omits raw.apparmor and raw.qemu.conf from the set of keys blocked under the restricted.virtual-machines.lowlevel=block project restrict
- CVE-2026-3351Mar 3, 2026affected < 0.0.0-20260224152359-d936c90d47cffixed 0.0.0-20260224152359-d936c90d47cf
Improper authorization in the API endpoint GET /1.0/certificates in Canonical LXD 6.6 on Linux allows an authenticated, restricted user to enumerate all certificate fingerprints trusted by the lxd server.
- CVE-2025-54293Oct 2, 2025affected >= 4.0, < 5.21.4fixed 5.21.4
Path Traversal in the log file retrieval function in Canonical LXD 5.0 LTS on Linux allows authenticated remote attackers to read arbitrary files on the host system via crafted log file names or symbolic links.
- CVE-2025-54291Oct 2, 2025affected >= 4.0, < 5.21.4fixed 5.21.4
Information disclosure in images API in Canonical LXD before 6.5 and 5.21.4 on all platforms allows unauthenticated remote attackers to determine project existence via differing HTTP status code responses.
- CVE-2025-54290Oct 2, 2025affected >= 4.0, < 5.21.4fixed 5.21.4
Information disclosure in image export API in Canonical LXD before 6.5 and 5.21.4 on Linux allows network attackers to determine project existence without authentication via crafted requests using wildcard fingerprints.
- CVE-2025-54289Oct 2, 2025affected >= 4.0, < 5.21.4fixed 5.21.4
Privilege Escalation in operations API in Canonical LXD <6.5 on multiple platforms allows attacker with read permissions to hijack terminal or console sessions and execute arbitrary commands via WebSocket connection hijacking format
- CVE-2025-54288Oct 2, 2025affected >= 4.0, < 5.21.4fixed 5.21.4
Information Spoofing in devLXD Server in Canonical LXD versions 4.0 and above on Linux container platforms allows attackers with root privileges within any container to impersonate other containers and obtain their metadata, configuration, and device information via spoofed proce
- CVE-2025-54286Oct 2, 2025affected >= 5.0, < 5.0.5fixed 5.0.5
Cross-Site Request Forgery (CSRF) in LXD-UI in Canonical LXD versions >= 5.0 on Linux allows an attacker to create and start container instances without user consent via crafted HTML form submissions exploiting client certificate authentication.
- CVE-2024-6219Dec 5, 2024affected < 0.0.0-20240403103450-0e7f2b5bf4d2fixed 0.0.0-20240403103450-0e7f2b5bf4d2
Mark Laing discovered in LXD's PKI mode, until version 5.21.1, that a restricted certificate could be added to the trust store with its restrictions not honoured.
- CVE-2024-6156Dec 5, 2024affected < 0.0.0-20240708073652-5a492a3f0036fixed 0.0.0-20240708073652-5a492a3f0036
Mark Laing discovered that LXD's PKI mode, until version 5.21.2, could be bypassed if the client's certificate was present in the trust store.