Description
Improper authorization in the API endpoint GET /1.0/certificates in Canonical LXD 6.6 on Linux allows an authenticated, restricted user to enumerate all certificate fingerprints trusted by the lxd server.
Published: 2026-03-03
Score: 2.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Assess
AI Analysis

Impact

The flaw is an authorization bypass in the GET /1.0/certificates API in Canonical LXD 6.6 on Linux. An authenticated, restricted user can call this endpoint and retrieve the fingerprints of all certificates that the LXD server trusts. This disclosure can give an attacker insight into the server’s trust store, potentially aiding further attacks or revealing sensitive configuration information.

Affected Systems

Canonical LXD 6.6 running on Linux distributions.

Risk and Exploitability

The CVSS score of 2.1 ranks this as low severity, and the EPSS score indicates a very low likelihood of exploitation. The vulnerability requires the attacker to be authenticated with restricted privileges, a condition that is only met by legitimate but potentially limited users. Because the exploitation does not lead to code execution or full system compromise, the overall risk to confidentiality or integrity is modest, though disclosure of certificate fingerprints could assist in social engineering or credential gathering.

Generated by OpenCVE AI on April 17, 2026 at 13:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LXD to a patched version that includes the fix for the GET /1.0/certificates authorization check, as referenced in the vendor’s security advisory.
  • Ensure that users with restricted privileges are only granted those privileges that are necessary and do not include unnecessary access to the certificates endpoint.
  • Consider monitoring for unusual use of the GET /1.0/certificates endpoint by restricted users and audit certificate listings for suspicious activity.

Generated by OpenCVE AI on April 17, 2026 at 13:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-crmg-9m86-636r lxd's non-recursive certificate listing bypasses per-object authorization and leaks all fingerprints
History

Wed, 11 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Canonical
Canonical lxd
Linux
Linux linux Kernel
CPEs cpe:2.3:a:canonical:lxd:6.6:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
Vendors & Products Canonical
Canonical lxd
Linux
Linux linux Kernel
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Wed, 04 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Lxd
Lxd lxd
Vendors & Products Lxd
Lxd lxd

Tue, 03 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 03 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Description Improper authorization in the API endpoint GET /1.0/certificates in Canonical LXD 6.6 on Linux allows an authenticated, restricted user to enumerate all certificate fingerprints trusted by the lxd server.
Title Authorization Bypass in LXD GET /1.0/certificates Endpoint
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:P'}

Subscriptions

Canonical Lxd
Linux Linux Kernel
Lxd Lxd
cve-icon MITRE

Status: PUBLISHED

Assigner: canonical

Published:

Updated: 2026-03-05T17:20:25.645Z

Reserved: 2026-02-27T16:38:38.974Z

Link: CVE-2026-3351

cve-icon Vulnrichment

Updated: 2026-03-03T14:46:53.694Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-03T13:16:21.350

Modified: 2026-03-11T18:41:28.560

Link: CVE-2026-3351

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T13:30:19Z

Weaknesses