CVE-2026-3351

← CVEs

MED 4.3

Published

2026-03-03

Last Modified

2026-03-11

Affected Apps

Affected Devices

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Improper authorization in the API endpoint GET /1.0/certificates in Canonical LXD 6.6 on Linux allows an authenticated, restricted user to enumerate all certificate fingerprints trusted by the lxd server.

Affected Applications in Environment 3

lxd v1:0.10

6 devices

lxd v2.0.11-0ubuntu1~16.04.4

2 devices

lxd v2.0.11-0ubuntu1~16.04.4+esm1

1 device

Affected Devices 9

ezidadmin Linux hotcheeto Linux mail Linux monitor01 Linux my1 Linux my2 Linux web14.usu.edu Linux web22 Linux web36.usu.edu Linux

References 3

https://github.com/canonical/lxd/commit/d936c90d47cf0be1e9757df897f769e9887ebde1
https://github.com/canonical/lxd/pull/17738
https://github.com/canonical/lxd/security/advisories/GHSA-crmg-9m86-636r