Improper access control in LXD - CVE-2026-55621
Published: June 29, 2026
Vulnerability identifier: #VU135797
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-55621
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Linux Containers
Affected software:
LXD
LXD
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the custom volume copy path when handling storage volume copy requests across projects. A remote user can send a specially crafted request with an attacker-controlled source project to disclose sensitive information.
Exploitation requires knowledge of the source project name and the custom volume name, and the copy must occur on the same server.
How to mitigate CVE-2026-55621
Install security update from vendor's website.