PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-28385 Canonical CVE debrief

A Server-Side Request Forgery (SSRF) vulnerability exists in Canonical LXD versions 4.12 through 6.9. The vulnerability is located in the image import functionality and allows authenticated users with the can_create_images entitlement to interact with internal network infrastructure via the /images endpoint. When importing an image from a URL source, the LXD daemon fails to validate or restrict outbound destination IP addresses, allowing connections to loopback, RFC1918 private ranges, and cloud metadata endpoints. This enables error-based port scanning and unauthorized interaction with internal HTTP services from the daemon's network position.

Vendor
Canonical
Product
lxd
CVSS
MEDIUM 5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-26
Original CVE updated
2026-07-06
Advisory published
2026-06-26
Advisory updated
2026-07-06

Who should care

Users of Canonical LXD versions 4.12 through 6.9 who have authenticated access with the can_create_images entitlement should be aware of this vulnerability. This includes administrators and users in environments where LXD is used for managing images and interacting with network resources.

Technical summary

The SSRF vulnerability in Canonical LXD allows an authenticated user to make requests to internal network resources, bypassing normal security restrictions. This can lead to unauthorized interaction with internal services, potentially exposing sensitive information or allowing further exploitation. The vulnerability is particularly concerning because it allows for error-based port scanning and interaction with cloud metadata endpoints.

Defensive priority

Medium

Recommended defensive actions

  • Restrict access to the can_create_images entitlement to only necessary users
  • Implement additional network security controls to limit LXD's access to internal resources
  • Monitor LXD logs for suspicious image import activities
  • Apply patches or updates provided by Canonical as soon as possible
  • Consider implementing compensating controls such as web application firewalls to detect and prevent SSRF attacks

Evidence notes

The CVE record was published on 2026-06-26T17:16:32.430Z and was last modified on 2026-07-06T18:14:53.080Z. The NVD entry is currently Analyzed. The vulnerability is described in the CVE record and additional details are provided in the references linked to the CVE record.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-26T17:16:32.430Z and has not been modified since then. The NVD entry is currently Analyzed.