CVE-2026-3351 in LXD
Summary
by MITRE • 03/03/2026
Improper authorization in the API endpoint GET /1.0/certificates in Canonical LXD 6.6 on Linux allows an authenticated, restricted user to enumerate all certificate fingerprints trusted by the lxd server.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/11/2026
The vulnerability identified as CVE-2026-3351 represents a critical authorization flaw within Canonical LXD 6.6 that compromises the integrity of certificate management operations. This issue affects the API endpoint GET /1.0/certificates which is designed to handle certificate enumeration requests within the LXD container management system. The flaw specifically targets authenticated users who possess restricted privileges but should not have access to comprehensive certificate trust information. This vulnerability directly violates the principle of least privilege and demonstrates inadequate access controls within the LXD service architecture.
The technical implementation of this vulnerability stems from improper validation of user permissions when processing certificate enumeration requests. An authenticated user with restricted access rights can exploit this weakness to bypass intended authorization controls and obtain a complete list of certificate fingerprints trusted by the LXD server. This occurs because the system fails to properly verify whether the requesting user has sufficient privileges to access the certificate trust store. The flaw essentially allows privilege escalation through information disclosure, where a user who should only have limited access can gain visibility into the entire certificate trust hierarchy managed by the LXD daemon. This type of vulnerability is classified under CWE-284 which specifically addresses improper access control mechanisms and inadequate authorization checks.
The operational impact of this vulnerability extends beyond simple information disclosure, creating potential downstream security risks within containerized environments. An attacker with restricted access can now enumerate all trusted certificates, which may reveal sensitive information about the LXD infrastructure, including certificate authorities and trust relationships. This enumeration capability enables more sophisticated attacks such as certificate forgery attempts, man-in-the-middle attacks against container communications, or exploitation of certificate-based authentication mechanisms. The vulnerability essentially undermines the security boundaries of the LXD service, as it allows unauthorized information gathering that could lead to further compromise of containerized applications and the underlying host system. This aligns with ATT&CK technique T1087.001 which involves account discovery through enumeration of system information.
Mitigation strategies for CVE-2026-3351 require immediate implementation of proper access control enforcement within the LXD API endpoints. System administrators should ensure that certificate enumeration requests are properly validated against user roles and permissions, implementing strict authorization checks before allowing access to certificate trust information. The recommended approach involves updating to the latest LXD version where this vulnerability has been patched, as Canonical has addressed the authorization flaw in subsequent releases. Additionally, organizations should implement network segmentation to limit access to LXD API endpoints, employ strict user privilege management, and conduct regular security audits of container management systems. Monitoring for unauthorized certificate enumeration attempts should be enabled through log analysis and intrusion detection systems to identify potential exploitation attempts. The vulnerability demonstrates the critical importance of proper access control implementation in container orchestration platforms where sensitive cryptographic information can be leveraged for broader system compromise.