Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
2.1
Canonical LXD on Linux: Authenticated Users Can Access All Trusted Certificates
CVE-2026-3351
GHSA-crmg-9m86-636r
Summary
An authenticated user with limited permissions in Canonical LXD 6.6 on Linux can access a list of all trusted certificates. This is a security concern because it allows unauthorized access to sensitive information. To mitigate this issue, update to the latest version of Canonical LXD or restrict access to the affected API endpoint.
What to do
- Update github.com canonical to version 0.0.0-20260224152359-d936c90d47cf.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| github.com | canonical | <= 0.0.0-20260224152359-d936c90d47cf | 0.0.0-20260224152359-d936c90d47cf |
| canonical | lxd | 6.6 | – |
Original title
Improper authorization in the API endpoint GET /1.0/certificates in Canonical LXD 6.6 on Linux allows an authenticated, restricted user to enumerate all certificate fingerprints trusted by the lxd ...
Original description
Improper authorization in the API endpoint GET /1.0/certificates in Canonical LXD 6.6 on Linux allows an authenticated, restricted user to enumerate all certificate fingerprints trusted by the lxd server.
nvd CVSS4.0
2.1
Vulnerability type
CWE-862
Missing Authorization
Published: 3 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026