SB2026063043 - Server-Side Request Forgery (SSRF) in LXD



SB2026063043 - Server-Side Request Forgery (SSRF) in LXD

Published: June 30, 2026

Security Bulletin ID SB2026063043
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-28385)

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to probe internal network services and disclose limited network information.

The vulnerability exists due to server-side request forgery (SSRF) in the image import-from-URL endpoint when processing an attacker-supplied image URL. A remote user can send a specially crafted API request to probe internal network services and disclose limited network information.

The issue affects requests made by the LXD daemon from its privileged network position, and error differences can be used to distinguish reachable, closed, or filtered internal ports.


Remediation

Install update from vendor's website.