CVE-2026-28385 | In Canonical LXD versions 4.12 through 6.9, a Server-Side Re… | CVSS 5.0 MEDIUM

Description

In Canonical LXD versions 4.12 through 6.9, a Server-Side Request Forgery (SSRF) vulnerability in the image import functionality allows authenticated users with the can_create_images entitlement to interact with internal network infrastructure via the /images endpoint. When importing an image from a URL source, the LXD daemon fails to validate or restrict outbound destination IP addresses, allowing connections to loopback, RFC1918 private ranges, and cloud metadata endpoints. This enables error-based port scanning and unauthorized interaction with internal HTTP services from the daemon's network position.

Metadata

CVE ID: CVE-2026-28385
State: PUBLISHED
Assigner: canonical
Reserved: 2026-02-27 11:06 UTC
Published: 2026-06-26 16:23 UTC
Last updated: 2026-06-26 17:13 UTC
Primary CWE: CWE-918
CWE-918: Server-Side Request Forgery (SSRF)
Vendor / Product: Canonical / lxd
Sources: cve.org · NVD

Severity & Metrics

5.0 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
Canonical	lxd	Linux	6.0 < 6.10

Weakness (CWE)

CWE	Source	Description
CWE-918	cna	CWE-918: Server-Side Request Forgery (SSRF)

CVSS scores (1)

Score	Severity	Version	Source	Vector
5.0	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

References (2)

SSRF via image import from URL allows internal network probing by authenticated users https://github.com/canonical/lxd/security/advisories/GHSA-3gq2-x4qg-p4g6
doc: update guide to hardening security for LXD https://github.com/canonical/lxd/pull/18462