CVE-2026-3351: Authorization Bypass in Canonical LXD Certificates API
Vulnerability ID: CVE-2026-3351
CVSS Score: 2.1
Published: 2026-03-04
A Missing Authorization vulnerability in Canonical LXD allows authenticated, restricted users to enumerate the fingerprints of all trusted certificates via the API. The flaw exists in the non-recursive handling of the GET /1.0/certificates endpoint, bypassing per-object visibility controls.
TL;DR
Restricted users can bypass authorization checks in LXD's certificate API to list all trusted certificate fingerprints. This allows reconnaissance of the cluster's trust relationships.
Technical Details
- CVE ID: CVE-2026-3351
- CVSS v4.0: 2.1 (Low)
- CWE: CWE-862 (Missing Authorization)
- Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L
- Attack Complexity: Low
- Privileges Required: Low (Authenticated)
Affected Systems
- Canonical LXD 6.6
-
LXD: = 6.6 (Fixed in:
See Vendor Advisory)
Code Analysis
Commit: d936c90
Unify authorization logic in certificatesGet handler
Mitigation Strategies
- Update LXD to the latest stable release containing the fix.
- Restrict network access to the LXD API to trusted management hosts only.
- Review and rotate restricted tokens if comprehensive secrecy of trust relationships is critical.
Remediation Steps:
- Identify the current LXD version:
lxd --version. - If running version 6.6 or earlier, upgrade immediately via the package manager (e.g.,
snap refresh lxd). - Verify the fix by attempting to list certificates with a restricted token; the list should be empty or filtered.
References
Read the full report for CVE-2026-3351 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)