Server-Side Request Forgery (SSRF) in LXD - CVE-2026-28385
Published: June 29, 2026 / Updated: June 30, 2026
LXD
Detailed vulnerability description
The vulnerability allows a remote user to probe internal network services and disclose limited network information.
The vulnerability exists due to server-side request forgery (SSRF) in the image import-from-URL endpoint when processing an attacker-supplied image URL. A remote user can send a specially crafted API request to probe internal network services and disclose limited network information.
The issue affects requests made by the LXD daemon from its privileged network position, and error differences can be used to distinguish reachable, closed, or filtered internal ports.