CVE-2026-3351 Overview
CVE-2026-3351 is an improper authorization vulnerability in the API endpoint GET /1.0/certificates in Canonical LXD 6.6 on Linux. This flaw allows an authenticated, restricted user to enumerate all certificate fingerprints trusted by the LXD server, potentially exposing sensitive infrastructure information that should be restricted based on user permissions.
Critical Impact
Authenticated users with restricted access can enumerate trusted certificate fingerprints, potentially revealing the identity and scope of other trusted entities in the LXD environment.
Affected Products
- Canonical LXD 6.6 on Linux
Discovery Timeline
- 2026-03-03 - CVE CVE-2026-3351 published to NVD
- 2026-03-03 - Last updated in NVD database
Technical Details for CVE-2026-3351
Vulnerability Analysis
This vulnerability stems from missing authorization checks (CWE-862) in the LXD certificates API endpoint. When a restricted user queries the /1.0/certificates endpoint, the server fails to properly filter the certificate list based on the user's entitlements. Instead of returning only certificates the user is authorized to view, the API returns all certificate fingerprints trusted by the LXD server.
This information disclosure allows restricted users to gain visibility into the broader trust relationships within the LXD infrastructure, which could be leveraged for reconnaissance in more sophisticated attack chains.
Root Cause
The root cause is inadequate authorization enforcement in the certificate listing functionality. The original implementation retrieved all certificates from the database and returned them in the API response without filtering based on the authenticated user's permission scope. The authorization system was correctly implemented for individual certificate access but was bypassed when listing certificates in non-recursive mode.
Attack Vector
The attack vector is network-based and requires authentication. An attacker needs valid credentials with restricted access to the LXD server. Once authenticated, the attacker can issue a simple API request to the /1.0/certificates endpoint to retrieve fingerprints of all trusted certificates, regardless of their authorization level.
// Security patch - lxd/certificates.go
// Source: https://github.com/canonical/lxd/commit/d936c90d47cf0be1e9757df897f769e9887ebde1
}
var certResponses []*api.Certificate
- var baseCerts []dbCluster.Certificate
+ var certURLs []string
urlToCertificate := make(map[*api.URL]auth.EntitlementReporter)
err = d.State().DB.Cluster.Transaction(r.Context(), func(ctx context.Context, tx *db.ClusterTx) error {
- baseCerts, err = dbCluster.GetCertificates(ctx, tx.Tx())
+ baseCerts, err := dbCluster.GetCertificates(ctx, tx.Tx())
if err != nil {
return err
}
The patch changes how certificates are retrieved and filtered, ensuring that only certificates the user is entitled to view are included in the response. The variable scope change from baseCerts being declared outside the transaction to inside indicates tighter control over the certificate data flow.
Detection Methods for CVE-2026-3351
Indicators of Compromise
- Unusual API requests to /1.0/certificates from restricted user accounts
- Audit logs showing certificate enumeration attempts by users without administrative privileges
- Repeated queries to the certificates endpoint that deviate from normal usage patterns
Detection Strategies
- Enable and monitor LXD audit logging for API endpoint access patterns
- Implement alerting for certificate endpoint access by non-administrative users
- Review access control configurations to identify potentially impacted restricted accounts
Monitoring Recommendations
- Configure centralized logging for all LXD API requests
- Monitor authentication logs for restricted account activity patterns
- Establish baseline behavior for certificate API usage to detect anomalies
How to Mitigate CVE-2026-3351
Immediate Actions Required
- Update Canonical LXD to a patched version that addresses this authorization issue
- Review restricted user accounts and their current access to sensitive endpoints
- Audit certificate trust relationships that may have been exposed
Patch Information
Canonical has addressed this vulnerability through code changes to the certificate listing functionality. The fix ensures that the /1.0/certificates endpoint properly filters results based on user entitlements. The security patch is available in the GitHub commit d936c90d47cf and was merged via Pull Request #17738. Additional details are available in the GitHub Security Advisory GHSA-crmg-9m86-636r.
Workarounds
- Restrict network access to the LXD API to trusted networks only
- Review and minimize the number of restricted user accounts with API access
- Implement additional network segmentation to limit exposure of LXD management interfaces
# Configuration example - Restrict LXD API access to specific network
lxc config set core.https_address 127.0.0.1:8443
# Audit current restricted users
lxc auth identity list --format=csv | grep restricted
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
