{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34179", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "state": "PUBLISHED", "assignerShortName": "canonical", "dateReserved": "2026-03-26T09:24:08.449Z", "datePublished": "2026-04-09T09:22:14.693Z", "dateUpdated": "2026-04-09T11:54:18.487Z"}, "containers": {"cna": {"title": "Update of type field in restricted TLS certificate allows privilege escalation to cluster admin", "affected": [{"vendor": "Canonical", "product": "lxd", "platforms": ["Linux"], "collectionURL": "https://github.com/canonical", "packageName": "lxd", "repo": "https://github.com/canonical/lxd", "programFiles": ["permissions.go"], "versions": [{"status": "affected", "version": "4.12.0", "lessThan": "5.0.7", "versionType": "semver"}, {"status": "affected", "version": "5.1.0", "lessThan": "5.21.5", "versionType": "semver"}, {"status": "affected", "version": "6.0.0", "lessThan": "6.8.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-915", "description": "CWE-915 Improperly controlled modification of Dynamically-Determined object attributes", "type": "CWE"}]}], "descriptions": [{"lang": "en", "value": "In Canonical LXD versions 4.12 through 6.7, the doCertificateUpdate function in lxd/certificates.go does not validate the Type field when handling PUT/PATCH requests to /1.0/certificates/{fingerprint} for restricted TLS certificate users, allowing a remote authenticated attacker to escalate privileges to cluster admin."}], "references": [{"url": "https://github.com/canonical/lxd/security/advisories/GHSA-c3h3-89qf-jqm5", "name": "Update of type field in restricted TLS certificate allows privilege escalation to cluster admin", "tags": ["vdb-entry", "vendor-advisory"]}, {"url": "https://github.com/canonical/lxd/pull/17936", "name": "Improve validation on certificate edit", "tags": ["patch", "issue-tracking"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "CRITICAL", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"}}], "credits": [{"lang": "en", "value": "Miha Purg", "type": "finder"}], "source": {"discovery": "INTERNAL"}, "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2026-04-09T09:22:14.693Z"}}, "adp": [{"references": [{"url": "https://github.com/canonical/lxd/security/advisories/GHSA-c3h3-89qf-jqm5", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T11:54:14.860013Z", "id": "CVE-2026-34179", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T11:54:18.487Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34179", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-09T11:54:14.860013Z"}}}], "references": [{"url": "https://github.com/canonical/lxd/security/advisories/GHSA-c3h3-89qf-jqm5", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T11:54:09.651Z"}}], "cna": {"title": "Update of type field in restricted TLS certificate allows privilege escalation to cluster admin", "source": {"discovery": "INTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Miha Purg"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/canonical/lxd", "vendor": "Canonical", "product": "lxd", "versions": [{"status": "affected", "version": "4.12.0", "lessThan": "5.0.7", "versionType": "semver"}, {"status": "affected", "version": "5.1.0", "lessThan": "5.21.5", "versionType": "semver"}, {"status": "affected", "version": "6.0.0", "lessThan": "6.8.0", "versionType": "semver"}], "platforms": ["Linux"], "packageName": "lxd", "programFiles": ["permissions.go"], "collectionURL": "https://github.com/canonical", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/canonical/lxd/security/advisories/GHSA-c3h3-89qf-jqm5", "name": "Update of type field in restricted TLS certificate allows privilege escalation to cluster admin", "tags": ["vdb-entry", "vendor-advisory"]}, {"url": "https://github.com/canonical/lxd/pull/17936", "name": "Improve validation on certificate edit", "tags": ["patch", "issue-tracking"]}], "descriptions": [{"lang": "en", "value": "In Canonical LXD versions 4.12 through 6.7, the doCertificateUpdate function in lxd/certificates.go does not validate the Type field when handling PUT/PATCH requests to /1.0/certificates/{fingerprint} for restricted TLS certificate users, allowing a remote authenticated attacker to escalate privileges to cluster admin."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-915", "description": "CWE-915 Improperly controlled modification of Dynamically-Determined object attributes"}]}], "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2026-04-09T09:22:14.693Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34179", "state": "PUBLISHED", "dateUpdated": "2026-04-09T11:54:18.487Z", "dateReserved": "2026-03-26T09:24:08.449Z", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "datePublished": "2026-04-09T09:22:14.693Z", "assignerShortName": "canonical"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:canonical:lxd:*:*:*:*:*:*:*:*", "matchCriteriaId": "41A5CC7C-00BE-436D-957A-4636E52D0DF1", "versionEndIncluding": "5.0.6", "versionStartIncluding": "4.12", "vulnerable": true}, {"criteria": "cpe:2.3:a:canonical:lxd:*:*:*:*:*:*:*:*", "matchCriteriaId": "92A82DF4-3ED9-47E0-BDF1-DB9138EE0883", "versionEndIncluding": "5.21.4", "versionStartIncluding": "5.21.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:canonical:lxd:*:*:*:*:*:*:*:*", "matchCriteriaId": "5C28FC63-0BE4-4B40-A87F-DF242AE33303", "versionEndIncluding": "6.7", "versionStartIncluding": "6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Canonical LXD versions 4.12 through 6.7, the doCertificateUpdate function in lxd/certificates.go does not validate the Type field when handling PUT/PATCH requests to /1.0/certificates/{fingerprint} for restricted TLS certificate users, allowing a remote authenticated attacker to escalate privileges to cluster admin."}], "id": "CVE-2026-34179", "lastModified": "2026-04-22T20:51:25.340", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "security@ubuntu.com", "type": "Secondary"}]}, "published": "2026-04-09T10:16:21.963", "references": [{"source": "security@ubuntu.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/canonical/lxd/pull/17936"}, {"source": "security@ubuntu.com", "tags": ["Third Party Advisory", "Exploit"], "url": "https://github.com/canonical/lxd/security/advisories/GHSA-c3h3-89qf-jqm5"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Third Party Advisory", "Exploit"], "url": "https://github.com/canonical/lxd/security/advisories/GHSA-c3h3-89qf-jqm5"}], "sourceIdentifier": "security@ubuntu.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-915"}], "source": "security@ubuntu.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": ["linux"], "status": "affected", "versions": {"scheme": "semver", "value": "[4.12.0,5.0.7)"}}, {"platform": ["linux"], "status": "affected", "versions": {"scheme": "semver", "value": "[5.1.0,5.21.5)"}}, {"platform": ["linux"], "status": "affected", "versions": {"scheme": "semver", "value": "[6.0.0,6.8.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "lxd", "source": "cna", "vendor": "Canonical"}, "product": "lxd", "vendor": "canonical"}], "analysis": {"en": {"generated_at": "2026-04-09T10:20:35.489145+00:00", "value": {"mitigation_remediation": ["Apply the latest patched release of Canonical LXD to eliminate the Type field validation flaw."], "summary": {"action": "Immediate Patch", "impact": "Remote Privilege Escalation to Cluster Admin"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Canonical's LXD container hypervisor, specifically versions 4.12 through 6.7. Users running LXD at these release levels and utilizing the certificate management API are at risk.", "description_and_impact": "In Canonical LXD versions 4.12 through 6.7, the doCertificateUpdate function does not validate the Type field when handling PUT or PATCH requests to the /1.0/certificates/{fingerprint} endpoint for restricted TLS certificate users. This omission allows a remote authenticated attacker that can perform certificate updates to change the certificate type and consequently elevate their privileges to cluster admin. The flaw represents a classic privilege\u2011escalation vulnerability as defined by CWE\u2011915, potentially giving full control over the cluster.", "risk_and_exploitability": "The CVSS score of 9.1 indicates high severity, and the flaw is exploitable by any authenticated user with certificate update permissions. Because the attacker must first authenticate to LXD, the threat is confined to compromised or less privileged accounts within the same cluster, but the impact reaches cluster\u2011wide administrative control. EPSS is not available and the issue is not listed in the CISA KEV catalog, suggesting it may not yet be broadly exploited in the wild."}}}}, "created": "2026-04-10T08:53:51.421887+00:00", "updated": "2026-04-10T09:33:01.431851+00:00", "vendors": ["canonical", "canonical$PRODUCT$lxd"]}