CVE-2026-28385
Publication date 26 June 2026
Last updated 29 June 2026
Ubuntu priority
Description
In Canonical LXD versions 4.12 through 6.9, a Server-Side Request Forgery (SSRF) vulnerability in the image import functionality allows authenticated users with the can_create_images entitlement to interact with internal network infrastructure via the /images endpoint. When importing an image from a URL source, the LXD daemon fails to validate or restrict outbound destination IP addresses, allowing connections to loopback, RFC1918 private ranges, and cloud metadata endpoints. This enables error-based port scanning and unauthorized interaction with internal HTTP services from the daemon's network position.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| lxd | 26.04 LTS resolute | Not in release |
| 25.10 questing | Not in release | |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
Notes
rodrigo-zaiden
LXD is being published as a snap since jammy. This CVE affects version >= 4.0.0, so it doesn't touch versions present in the archive.
Severity score breakdown
CVSS version: CVSS v3.0
Base score
5.0 · Medium
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N