CVE-2025-54286 HIGH

CVE-2025-54286: CSRF Vulnerability When Using Client Certificate Authentication with the LXD-UI

Vendor Canonical
Product LXD
Weakness CWE-352 · CSRF
Published October 2, 2025
Last update February 26, 2026

CVSS base score

7.5/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

What the vulnerability does

01Description

Cross-Site Request Forgery (CSRF) in LXD-UI in Canonical LXD versions >= 5.0 on Linux allows an attacker to create and start container instances without user consent via crafted HTML form submissions exploiting client certificate authentication.

Key dates

02Disclosure timeline

October 2, 2025 CVE published
February 26, 2026 Record updated