CVE-2026-28385

MEDIUM 5.0

SSRF via image import from URL allows internal network probing by authenticated users

CVSS Score

5.0

EPSS Score

0.0%

EPSS Percentile

0th

In Canonical LXD versions 4.12 through 6.9, a Server-Side Request Forgery (SSRF) vulnerability in the image import functionality allows authenticated users with the can_create_images entitlement to interact with internal network infrastructure via the /images endpoint. When importing an image from a URL source, the LXD daemon fails to validate or restrict outbound destination IP addresses, allowing connections to loopback, RFC1918 private ranges, and cloud metadata endpoints. This enables error-based port scanning and unauthorized interaction with internal HTTP services from the daemon's network position.

CWE	CWE-918
Vendor	canonical
Product	lxd
Ecosystems	Linux
Industries	Technology
Published	Jun 26, 2026
Last Updated	Jun 26, 2026

Stay Ahead of the Next One

Get instant alerts for canonical lxd

Be the first to know when new medium vulnerabilities affecting canonical lxd are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

None

Availability

None

Affected Versions

Canonical / lxd

6.0 < 6.10

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/canonical/lxd/security/advisories/GHSA-3gq2-x4qg-p4g6 github.com: https://github.com/canonical/lxd/pull/18462

Credits

Babajide Emmanuel Fakile