Skip to main content

Canonical CVE-2026-34179

| EUVDEUVD-2026-20876 CRITICAL
Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915)
2026-04-09 canonical GHSA-c3h3-89qf-jqm5
9.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
SUSE
CRITICAL
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Re-analysis Queued
Apr 22, 2026 - 20:52 vuln.today
cvss_changed
EUVD ID Assigned
Apr 09, 2026 - 09:30 euvd
EUVD-2026-20876
Analysis Generated
Apr 09, 2026 - 09:30 vuln.today
Patch released
Apr 09, 2026 - 09:30 nvd
Patch available
CVE Published
Apr 09, 2026 - 09:22 nvd
CRITICAL 9.1

DescriptionCVE.org

In Canonical LXD versions 4.12 through 6.7, the doCertificateUpdate function in lxd/certificates.go does not validate the Type field when handling PUT/PATCH requests to /1.0/certificates/{fingerprint} for restricted TLS certificate users, allowing a remote authenticated attacker to escalate privileges to cluster admin.

AnalysisAI

Privilege escalation in Canonical LXD 4.12 through 6.7 enables remote authenticated restricted TLS certificate users to gain cluster admin privileges. Exploitation requires high-privilege authentication (PR:H) but no user interaction. The vulnerability stems from missing Type field validation in doCertificateUpdate function when processing PUT/PATCH requests to the certificates API endpoint. Attack scope is changed (S:C), allowing attackers to break containment and achieve full cluster compromise with high impact to confidentiality, integrity, and availability. No public exploit identified at time of analysis.

Technical ContextAI

The doCertificateUpdate function in lxd/certificates.go fails to validate the Type field during certificate modification operations. This CWE-915 (improperly controlled modification of dynamically-determined object attributes) flaw allows authenticated restricted certificate users to manipulate certificate properties via PUT/PATCH to /1.0/certificates/{fingerprint}, bypassing intended access controls and elevating to cluster administrator role. Network-accessible (AV:N), low complexity (AC:L), requiring high privileges (PR:H).

RemediationAI

Vendor-released patch: upstream fix available via GitHub pull request (https://github.com/canonical/lxd/pull/17936); released patched version not independently confirmed at time of analysis. Organizations should monitor Canonical's official security advisory (https://github.com/canonical/lxd/security/advisories/GHSA-c3h3-89qf-jqm5) for release announcements and apply updates immediately upon availability. As an interim mitigation, restrict network access to the LXD API endpoint /1.0/certificates/* to trusted networks only, implement additional authentication layers for certificate management operations, audit existing TLS certificate users for appropriate privilege levels, and revoke restricted certificates if cluster admin escalation risk is unacceptable. Enable comprehensive API request logging to detect unauthorized certificate modification attempts.

CVE-2012-0217 HIGH POC
7.2 Jun 12

The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and

CVE-2026-33309 CRITICAL POC
9.9 Mar 19

An authenticated path traversal vulnerability in Langflow's file upload functionality allows attackers to write arbitrar

CVE-2019-7304 CRITICAL POC
9.8 Apr 23

Canonical snapd before version 2.37.1 incorrectly performed socket owner validation, allowing an attacker to run arbitra

CVE-2026-33186 CRITICAL POC
9.1 Mar 18

An authorization bypass vulnerability in gRPC-Go allows attackers to circumvent path-based access control by sending HTT

CVE-2026-50180 HIGH POC
8.7 Jul 02

Arbitrary file read in Langroid's SQLChatAgent (<= 0.63.0) lets an attacker who can influence the LLM-generated SQL exfi

CVE-2020-14966 HIGH POC
7.5 Jun 22

An issue was discovered in the jsrsasign package through 8.0.18 for Node.js. Rated high severity (CVSS 7.5), this vulner

CVE-2020-13822 HIGH POC
7.7 Jun 04

The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' byte

CVE-2026-29181 HIGH POC
7.5 Apr 07

Resource exhaustion in OpenTelemetry Go propagation library (v1.41.0 and earlier) enables remote attackers to trigger se

CVE-2019-7303 HIGH POC
7.5 Apr 23

A vulnerability in the seccomp filters of Canonical snapd before version 2.37.4 allows a strict mode snap to insert char

CVE-2014-4699 MEDIUM POC
6.9 Jul 09

The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved

CVE-2017-7725 MEDIUM POC
6.1 Apr 13

concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca

CVE-2026-48816 MEDIUM POC
6.5 Jul 01

Timestamp forgery in sigstore-js allows an attacker supplying a crafted bundle v0.2 to manipulate certificate validity w

Vendor StatusVendor

SUSE

Severity: Critical

Share

CVE-2026-34179 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy