How to fix CVE-2025-54286?

Within 7 days: Identify all affected systems running LXD-UI in Canonical LXD and apply vendor patches promptly. Verify anti-CSRF tokens and content security policies are enforced.

Is Ubuntu affected by CVE-2025-54286?

Organizations using LXD-UI in Canonical LXD face significant risk from CVE-2025-54286, a cross-site request forgery vulnerability rated CVSS 8.8. Attackers could trick authenticated users into performing unintended actions, potentially modifying critical settings or data.

CVE-2025-54286

EUVD-2025-32635 HIGH

2025-10-02 [email protected]

GHSA-p8hw-rfjg-689h

8.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

EUVD ID Assigned

Mar 13, 2026 - 19:12 euvd

EUVD-2025-32635

Analysis Generated

Mar 13, 2026 - 19:12 vuln.today

PoC Detected

Oct 22, 2025 - 15:47 vuln.today

Public exploit code

CVE Published

Oct 02, 2025 - 10:15 nvd

HIGH 8.8

Description

Cross-Site Request Forgery (CSRF) in LXD-UI in Canonical LXD versions >= 5.0 on Linux allows an attacker to create and start container instances without user consent via crafted HTML form submissions exploiting client certificate authentication.

Analysis

Technical Context

Cross-Site Request Forgery forces authenticated users to perform unintended actions by tricking their browser into sending forged requests. This vulnerability is classified as Cross-Site Request Forgery (CSRF) (CWE-352).

Affected Products

Affected products: Canonical Lxd

Remediation

Implement anti-CSRF tokens for all state-changing operations. Use SameSite cookie attribute. Verify the Origin/Referer header on the server side.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +44

POC: +20

Vendor Status

Ubuntu

Priority: Medium

lxd

Release	Status	Version
jammy	DNE	-
noble	DNE	-
plucky	DNE	-
bionic	not-affected	no web UI
focal	not-affected	installs LXD snap
upstream	released	5.0.5, 5.21.4, 6.5
xenial	not-affected	no web UI
questing	DNE	-

Debian

incus

Release	Status	Fixed Version	Urgency
trixie	fixed	6.0.4-2+deb13u1	-
trixie (security)	fixed	6.0.4-2+deb13u4	-
forky, sid	fixed	6.0.5-8	-
(unstable)	fixed	6.0.5-1	-

lxd

Release	Status	Fixed Version	Urgency
bookworm	fixed	5.0.2-5+deb12u1	-
bookworm (security)	fixed	5.0.2-5+deb12u3	-
trixie	fixed	5.0.2+git20231211.1364ae4-9+deb13u1	-
trixie (security)	fixed	5.0.2+git20231211.1364ae4-9+deb13u3	-
(unstable)	fixed	(unfixed)	-

DSA-6027-1 DSA-6028-1

CVE-2025-54286 vulnerability details – vuln.today

Back

CVE-2025-54286

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

CVE-2025-54286

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

External POC / Exploit Code