What is CVE-2026-34179?

CVE-2026-34179 is a critical-severity vulnerability in Canonical Lxd, classified under Improperly Controlled Modification of Dynamically-Determined Object Attributes. CVSS score: 9.1/10. Published 2026-04-09.

How severe is CVE-2026-34179?

Critical severity. CVSS v3 base score is 9.1 out of 10.

Vulnerability in Canonical Lxd

CVE-2026-34179

In Canonical LXD versions 4.12 through 6.7, the doCertificateUpdate function in lxd/certificates.go does not validate the Type field when handling PUT/PATCH requests to /1.0/certificates/{fingerprint} for restricted TLS certificate users…

Vulnerability class: Mass Assignment

EPSS: 0.002 (37.2th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.1 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H.

Affected products

Canonical Lxd — versions 4.12.0, 5.1.0, 6.0.0

Weakness classification (CWE)

CWE-915 — Improperly Controlled Modification of Dynamically-Determined Object Attributes

References

Update of type field in restricted TLS certificate allows privilege escalation to cluster admin (vdb-entry, vendor-advisory)
Improve validation on certificate edit (patch, issue-tracking)

Frequently asked questions

What is CVE-2026-34179?: CVE-2026-34179 is a critical-severity vulnerability in Canonical Lxd, classified under Improperly Controlled Modification of Dynamically-Determined Object Attributes. CVSS score: 9.1/10. Published 2026-04-09.
How severe is CVE-2026-34179?: Critical severity. CVSS v3 base score is 9.1 out of 10.