SB2026030348 - Multiple vulnerabilities in lxd

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Missing authorization (CVE-ID: CVE-2026-3351)

The vulnerability allows a remote user to gain access to sensitive information.

The vulnerability exists due to the "/1.0/certificates endpoint" endpoint returns URLs containing fingerprints for all certificates in the trust store, bypassing the per-object can_view authorization check. A remote user can gain access to sensitive information.

2) OS Command Injection (CVE-ID: CVE-2026-28384)

The vulnerability allows a remote user to execute arbitrary code on the host.

The vulnerability exists due to improper neutralization of special elements used in an os command in the compressFile function and related image and backup API handlers when processing a user-supplied compression_algorithm value. A remote user can send a specially crafted API request to execute arbitrary code on the host.

Exploitation requires image creation or backup management permissions, and code execution occurs in the LXD daemon context, typically as root.

Remediation

Install update from vendor's website.

References

• https://github.com/canonical/lxd/security/advisories/GHSA-crmg-9m86-636r
• https://github.com/canonical/lxd/security/advisories/GHSA-4rmf-rcp8-2r9g