Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.4
CVE-2025-54289: Canonical LXD versions before 6.5 allow unauthorized access to system sessions
GHSA-3g72-chj4-2228
CVE-2025-54289
Summary
A security issue in LXD versions before 6.5 allows an attacker with read-only access to take control of certain system sessions and execute unauthorized commands. This could potentially allow an attacker to access sensitive information or disrupt system operations. Update to LXD version 6.5 or later to address this issue.
What to do
- Update github.com canonical to version 5.21.4.
- Update github.com canonical to version 6.5.
- Update github.com canonical to version 0.0.0-20250827065555-0494f5d47e41.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| go | github.com | canonical |
>= 4.0, < 5.21.4 >= 6.0, < 6.5 >= 0.0.0-20200331193331-03aab09f5b5c, < 0.0.0-20250827065555-0494f5d47e41 Fix: upgrade to 5.21.4
|
| – | canonical | lxd |
>= 4.0.0, < 5.21.4 >= 6.1, < 6.5 cpe:2.3:a:canonical:lxd:*:*:*:*:*:*:*:* |
Original title
Privilege Escalation in operations API in Canonical LXD <6.5 on multiple platforms allows attacker with read permissions to hijack terminal or console sessions and execute arbitrary commands via We...
Original description
Privilege Escalation in operations API in Canonical LXD <6.5 on multiple platforms allows attacker with read permissions to hijack terminal or console sessions and execute arbitrary commands via WebSocket connection hijacking format
ghsa CVSS3.1
6.8
ghsa CVSS4.0
7.4
Vulnerability type
CWE-1385
Published: 2 Oct 2025 · Updated: 15 Jun 2026 · First seen: 6 Mar 2026