EUVD-2026-20876
GHSA-c3h3-89qf-jqm5
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
4Description
In Canonical LXD versions 4.12 through 6.7, the doCertificateUpdate function in lxd/certificates.go does not validate the Type field when handling PUT/PATCH requests to /1.0/certificates/{fingerprint} for restricted TLS certificate users, allowing a remote authenticated attacker to escalate privileges to cluster admin.
Analysis
Privilege escalation in Canonical LXD 4.12 through 6.7 enables remote authenticated restricted TLS certificate users to gain cluster admin privileges. Exploitation requires high-privilege authentication (PR:H) but no user interaction. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: inventory all LXD deployments and identify instances running versions 4.12 through 6.7; verify current version via `lxd --version`. Within 7 days: apply vendor-released patch to upgrade all affected LXD instances to version 6.8 or later; test patched versions in non-production environments first and coordinate maintenance windows to minimize cluster downtime. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today