CVE-2026-34179

EUVD-2026-20876
In Canonical LXD versions 4.12 through 6.7, the doCertificateUpdate function in lxd/certificates.go does not validate the Type field when handling PUT/PATCH requests to /1.0/certificates/{fingerprint} for restricted TLS certificate users, allowing a remote authenticated attacker to escalate privileges to cluster admin.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
canonicalCNA
9.1 CRITICAL
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
canonicallxd
4.12.0 ≤
𝑥
< 5.0.7
CNA
canonicallxd
5.1.0 ≤
𝑥
< 5.21.5
CNA
canonicallxd
6.0.0 ≤
𝑥
< 6.8.0
CNA
Common Weakness Enumeration
References
https://github.com/canonical/lxd/pull/17936
https://github.com/canonical/lxd/security/advisories/GHSA-c3h3-89qf-jqm5
https://github.com/canonical/lxd/security/advisories/GHSA-c3h3-89qf-jqm5