Server-Side Request Forgery (SSRF) in LXD - CVE-2026-28385

 

Server-Side Request Forgery (SSRF) in LXD - CVE-2026-28385

Published: June 29, 2026 / Updated: June 30, 2026


Vulnerability identifier: #VU135807
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-28385
CWE-ID: CWE-918
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Linux Containers
Affected software:
LXD

Detailed vulnerability description

The vulnerability allows a remote user to probe internal network services and disclose limited network information.

The vulnerability exists due to server-side request forgery (SSRF) in the image import-from-URL endpoint when processing an attacker-supplied image URL. A remote user can send a specially crafted API request to probe internal network services and disclose limited network information.

The issue affects requests made by the LXD daemon from its privileged network position, and error differences can be used to distinguish reachable, closed, or filtered internal ports.


How to mitigate CVE-2026-28385

Install security update from vendor's website.

Sources