CVE-2026-3351

UNKNOWN 0.0

Authorization Bypass in LXD GET /1.0/certificates Endpoint

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Improper authorization in the API endpoint GET /1.0/certificates in Canonical LXD 6.6 on Linux allows an authenticated, restricted user to enumerate all certificate fingerprints trusted by the lxd server.

CWE	CWE-862
Vendor	canonical
Product	lxd
Ecosystems	Linux
Industries	Technology
Published	Mar 3, 2026
Last Updated	Mar 5, 2026

Stay Ahead of the Next One

Get instant alerts for canonical lxd

Be the first to know when new unknown vulnerabilities affecting canonical lxd are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Canonical / lxd

6.6

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/canonical/lxd/security/advisories/GHSA-crmg-9m86-636r github.com: https://github.com/canonical/lxd/pull/17738 github.com: https://github.com/canonical/lxd/commit/d936c90d47cf0be1e9757df897f769e9887ebde1