CVE-2025-54289

UNKNOWN 0.0

Privilege Escalation via WebSocket Connection Hijacking in LXD Operations API

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Privilege Escalation in operations API in Canonical LXD <6.5 on multiple platforms allows attacker with read permissions to hijack terminal or console sessions and execute arbitrary commands via WebSocket connection hijacking format

CWE	CWE-1385
Vendor	canonical
Product	lxd
Ecosystems	Linux
Industries	Technology
Published	Oct 2, 2025
Last Updated	Feb 26, 2026

Stay Ahead of the Next One

Get instant alerts for canonical lxd

Be the first to know when new unknown vulnerabilities affecting canonical lxd are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Canonical / LXD

6 < 6.5 5.21 < 5.21.4

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/canonical/lxd/security/advisories/GHSA-3g72-chj4-2228

Credits

GMO Flatt Security Inc.