Improper access control in LXD - CVE-2026-55622
Published: June 29, 2026
Vulnerability identifier: #VU135796
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-55622
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Linux Containers
Affected software:
LXD
LXD
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in instance copy handling in POST /1.0/instances when copying an instance across projects. A remote user can send a crafted instance copy request referencing a source project and instance they are not authorized to view to disclose sensitive information.
Exploitation requires knowledge of the source project name and source instance name, and the copy occurs on the same server.
How to mitigate CVE-2026-55622
Install security update from vendor's website.