Description
In Canonical LXD versions 4.12 through 6.7, the doCertificateUpdate function in lxd/certificates.go does not validate the Type field when handling PUT/PATCH requests to /1.0/certificates/{fingerprint} for restricted TLS certificate users, allowing a remote authenticated attacker to escalate privileges to cluster admin.
Published: 2026-04-09
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Privilege Escalation to Cluster Admin
Action: Immediate Patch
AI Analysis

Impact

In Canonical LXD versions 4.12 through 6.7, the doCertificateUpdate function does not validate the Type field when handling PUT or PATCH requests to the /1.0/certificates/{fingerprint} endpoint for restricted TLS certificate users. This omission allows a remote authenticated attacker that can perform certificate updates to change the certificate type and consequently elevate their privileges to cluster admin. The flaw represents a classic privilege‑escalation vulnerability as defined by CWE‑915, potentially giving full control over the cluster.

Affected Systems

The vulnerability affects Canonical's LXD container hypervisor, specifically versions 4.12 through 6.7. Users running LXD at these release levels and utilizing the certificate management API are at risk.

Risk and Exploitability

The CVSS score of 9.1 indicates high severity, and the flaw is exploitable by any authenticated user with certificate update permissions. Because the attacker must first authenticate to LXD, the threat is confined to compromised or less privileged accounts within the same cluster, but the impact reaches cluster‑wide administrative control. EPSS is not available and the issue is not listed in the CISA KEV catalog, suggesting it may not yet be broadly exploited in the wild.

Generated by OpenCVE AI on April 9, 2026 at 10:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest patched release of Canonical LXD to eliminate the Type field validation flaw.

Generated by OpenCVE AI on April 9, 2026 at 10:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6212-1 incus security update
Debian DSA Debian DSA DSA-6213-1 lxd security update
Github GHSA Github GHSA GHSA-c3h3-89qf-jqm5 LXD: Update of type field in restricted TLS certificate allows privilege escalation to cluster admin
History

Wed, 22 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:canonical:lxd:*:*:*:*:*:*:*:*

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Canonical
Canonical lxd
Vendors & Products Canonical
Canonical lxd

Thu, 09 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 09:30:00 +0000

Type Values Removed Values Added
Description In Canonical LXD versions 4.12 through 6.7, the doCertificateUpdate function in lxd/certificates.go does not validate the Type field when handling PUT/PATCH requests to /1.0/certificates/{fingerprint} for restricted TLS certificate users, allowing a remote authenticated attacker to escalate privileges to cluster admin.
Title Update of type field in restricted TLS certificate allows privilege escalation to cluster admin
Weaknesses CWE-915
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Canonical Lxd
cve-icon MITRE

Status: PUBLISHED

Assigner: canonical

Published:

Updated: 2026-04-09T11:54:18.487Z

Reserved: 2026-03-26T09:24:08.449Z

Link: CVE-2026-34179

cve-icon Vulnrichment

Updated: 2026-04-09T11:54:09.651Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-09T10:16:21.963

Modified: 2026-04-22T20:51:25.340

Link: CVE-2026-34179

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:33:01Z

Weaknesses