{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3351", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "state": "PUBLISHED", "assignerShortName": "canonical", "dateReserved": "2026-02-27T16:38:38.974Z", "datePublished": "2026-03-03T12:49:25.034Z", "dateUpdated": "2026-03-05T17:20:25.645Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://github.com/canonical/lxd", "defaultStatus": "unaffected", "packageName": "lxd", "platforms": ["Linux"], "product": "lxd", "programFiles": ["certificates.go"], "repo": "https://github.com/canonical/lxd", "vendor": "Canonical", "versions": [{"status": "affected", "version": "6.6"}]}], "descriptions": [{"lang": "en", "value": "Improper authorization in the API endpoint GET /1.0/certificates in Canonical LXD 6.6 on Linux allows an authenticated, restricted user to enumerate all certificate fingerprints trusted by the lxd server."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 2.1, "baseSeverity": "LOW", "exploitMaturity": "PROOF_OF_CONCEPT", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:P", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "CWE-862 Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2026-03-05T17:20:25.645Z"}, "references": [{"url": "https://github.com/canonical/lxd/security/advisories/GHSA-crmg-9m86-636r", "tags": ["vdb-entry", "vendor-advisory"]}, {"url": "https://github.com/canonical/lxd/pull/17738", "name": "lxd/certificates: Return only allowed certificates in non-recursive list", "tags": ["patch", "issue-tracking"]}, {"url": "https://github.com/canonical/lxd/commit/d936c90d47cf0be1e9757df897f769e9887ebde1", "tags": ["patch"]}], "source": {"discovery": "EXTERNAL"}, "title": "Authorization Bypass in LXD GET /1.0/certificates Endpoint", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-03T14:46:45.446167Z", "id": "CVE-2026-3351", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-03T14:47:00.765Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3351", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-03T14:46:45.446167Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-03T14:46:53.694Z"}}], "cna": {"title": "Authorization Bypass in LXD GET /1.0/certificates Endpoint", "source": {"discovery": "EXTERNAL"}, "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 2.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:P", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/canonical/lxd", "vendor": "Canonical", "product": "lxd", "versions": [{"status": "affected", "version": "6.6"}], "platforms": ["Linux"], "packageName": "lxd", "programFiles": ["certificates.go"], "collectionURL": "https://github.com/canonical/lxd", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/canonical/lxd/security/advisories/GHSA-crmg-9m86-636r", "tags": ["vdb-entry", "vendor-advisory"]}, {"url": "https://github.com/canonical/lxd/pull/17738", "name": "lxd/certificates: Return only allowed certificates in non-recursive list", "tags": ["patch", "issue-tracking"]}, {"url": "https://github.com/canonical/lxd/commit/d936c90d47cf0be1e9757df897f769e9887ebde1", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Improper authorization in the API endpoint GET /1.0/certificates in Canonical LXD 6.6 on Linux allows an authenticated, restricted user to enumerate all certificate fingerprints trusted by the lxd server."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2026-03-05T17:20:25.645Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3351", "state": "PUBLISHED", "dateUpdated": "2026-03-05T17:20:25.645Z", "dateReserved": "2026-02-27T16:38:38.974Z", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "datePublished": "2026-03-03T12:49:25.034Z", "assignerShortName": "canonical"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:canonical:lxd:6.6:*:*:*:*:*:*:*", "matchCriteriaId": "47DA1600-A935-4669-8D43-EF34B9238376", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper authorization in the API endpoint GET /1.0/certificates in Canonical LXD 6.6 on Linux allows an authenticated, restricted user to enumerate all certificate fingerprints trusted by the lxd server."}, {"lang": "es", "value": "Autorizaci\u00f3n incorrecta en el endpoint de la API GET /1.0/certificates en Canonical LXD 6.6 en Linux permite a un usuario autenticado y restringido enumerar todas las huellas digitales de certificados confiadas por el servidor lxd."}], "id": "CVE-2026-3351", "lastModified": "2026-03-11T18:41:28.560", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.1, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security@ubuntu.com", "type": "Secondary"}]}, "published": "2026-03-03T13:16:21.350", "references": [{"source": "security@ubuntu.com", "tags": ["Patch"], "url": "https://github.com/canonical/lxd/commit/d936c90d47cf0be1e9757df897f769e9887ebde1"}, {"source": "security@ubuntu.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/canonical/lxd/pull/17738"}, {"source": "security@ubuntu.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/canonical/lxd/security/advisories/GHSA-crmg-9m86-636r"}], "sourceIdentifier": "security@ubuntu.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@ubuntu.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": ["linux"], "status": "affected", "versions": {"scheme": "generic", "value": "6.6"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "lxd", "source": "cna", "vendor": "LXD"}, "product": "lxd", "vendor": "lxd"}], "analysis": {"en": {"generated_at": "2026-04-17T13:23:39.218089+00:00", "value": {"mitigation_remediation": ["Upgrade LXD to a patched version that includes the fix for the GET /1.0/certificates authorization check, as referenced in the vendor\u2019s security advisory.", "Ensure that users with restricted privileges are only granted those privileges that are necessary and do not include unnecessary access to the certificates endpoint.", "Consider monitoring for unusual use of the GET /1.0/certificates endpoint by restricted users and audit certificate listings for suspicious activity."], "summary": {"action": "Assess", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "Canonical LXD 6.6 running on Linux distributions.", "description_and_impact": "The flaw is an authorization bypass in the GET /1.0/certificates API in Canonical LXD 6.6 on Linux. An authenticated, restricted user can call this endpoint and retrieve the fingerprints of all certificates that the LXD server trusts. This disclosure can give an attacker insight into the server\u2019s trust store, potentially aiding further attacks or revealing sensitive configuration information.", "risk_and_exploitability": "The CVSS score of 2.1 ranks this as low severity, and the EPSS score indicates a very low likelihood of exploitation. The vulnerability requires the attacker to be authenticated with restricted privileges, a condition that is only met by legitimate but potentially limited users. Because the exploitation does not lead to code execution or full system compromise, the overall risk to confidentiality or integrity is modest, though disclosure of certificate fingerprints could assist in social engineering or credential gathering."}}}}, "created": "2026-03-04T14:54:23.349277+00:00", "updated": "2026-04-17T13:30:19.601316+00:00", "vendors": ["lxd", "lxd$PRODUCT$lxd"]}