SB2026063043 - Server-Side Request Forgery (SSRF) in LXD
Published: June 30, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-28385)
CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to probe internal network services and disclose limited network information.
The vulnerability exists due to server-side request forgery (SSRF) in the image import-from-URL endpoint when processing an attacker-supplied image URL. A remote user can send a specially crafted API request to probe internal network services and disclose limited network information.
The issue affects requests made by the LXD daemon from its privileged network position, and error differences can be used to distinguish reachable, closed, or filtered internal ports.
Remediation
Install update from vendor's website.