Auth bypass in Canonical Lxd

CVE-2026-3351

Improper authorization in the API endpoint GET /1.0/certificates in Canonical LXD 6.6 on Linux allows an authenticated, restricted user to enumerate all certificate fingerprints trusted by the lxd server.

Vulnerability class: Broken Access Control

EPSS: 0.000 (7.9th percentile) — read the EPSS interpretation.

Affected products

Canonical Lxd — versions 6.6

Weakness classification (CWE)

CWE-862 — Missing Authorization

References

github.com/canonical/lxd/security/advisories/GHSA-crmg-9m86-636r (vdb-entry, vendor-advisory)
lxd/certificates: Return only allowed certificates in non-recursive list (patch, issue-tracking)
github.com/canonical/lxd/commit/d936c90d47cf0be1e9757df897f769e9887ebde1 (patch)