CVE-2026-3351 LOW

CVE-2026-3351: Authorization Bypass in LXD GET /1.0/certificates Endpoint

Vendor Canonical
Product lxd
Weakness CWE-862 · Missing authorization
Published March 3, 2026
Last update March 5, 2026

CVSS base score

2.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:P

What the vulnerability does

01Description

Improper authorization in the API endpoint GET /1.0/certificates in Canonical LXD 6.6 on Linux allows an authenticated, restricted user to enumerate all certificate fingerprints trusted by the lxd server.

Key dates

02Disclosure timeline

March 3, 2026 CVE published
March 5, 2026 Record updated