CVE Catalog

CVE-2026-28385

MediumCVSS 5.0
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.17%

7th percentile — higher than 7% of all known CVEs

Summary

In LXD versions 4.12 through 6.9, an SSRF vulnerability in the image import functionality allows authenticated users with can_create_images entitlement to interact with internal network infrastructure via the /images endpoint. The LXD daemon fails to validate outbound destination IP addresses, enabling connections to loopback, RFC1918 private ranges, and cloud metadata endpoints.

Risk Assessment

An attacker can perform error-based port scanning and unauthorized interaction with internal HTTP services from the daemon's network position, potentially leading to privilege escalation or data exfiltration from the internal network.

Recommendation

Upgrade LXD to version 6.10 or later, which includes a fix restricting allowed destination addresses for image imports. As a temporary workaround, restrict the can_create_images entitlement to trusted users only.

Original NVD description (English source)

In Canonical LXD versions 4.12 through 6.9, a Server-Side Request Forgery (SSRF) vulnerability in the image import functionality allows authenticated users with the can_create_images entitlement to interact with internal network infrastructure via the /images endpoint. When importing an image from a URL source, the LXD daemon fails to validate or restrict outbound destination IP addresses, allowing connections to loopback, RFC1918 private ranges, and cloud metadata endpoints. This enables error-based port scanning and unauthorized interaction with internal HTTP services from the daemon's network position.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS