PatchSiren cyber security CVE debrief
CVE-2026-28385 Canonical CVE debrief
A Server-Side Request Forgery (SSRF) vulnerability exists in Canonical LXD versions 4.12 through 6.9. The vulnerability is located in the image import functionality and allows authenticated users with the can_create_images entitlement to interact with internal network infrastructure via the /images endpoint. When importing an image from a URL source, the LXD daemon fails to validate or restrict outbound destination IP addresses, allowing connections to loopback, RFC1918 private ranges, and cloud metadata endpoints. This enables error-based port scanning and unauthorized interaction with internal HTTP services from the daemon's network position.
- Vendor
- Canonical
- Product
- lxd
- CVSS
- MEDIUM 5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-26
- Original CVE updated
- 2026-07-06
- Advisory published
- 2026-06-26
- Advisory updated
- 2026-07-06
Who should care
Users of Canonical LXD versions 4.12 through 6.9 who have authenticated access with the can_create_images entitlement should be aware of this vulnerability. This includes administrators and users in environments where LXD is used for managing images and interacting with network resources.
Technical summary
The SSRF vulnerability in Canonical LXD allows an authenticated user to make requests to internal network resources, bypassing normal security restrictions. This can lead to unauthorized interaction with internal services, potentially exposing sensitive information or allowing further exploitation. The vulnerability is particularly concerning because it allows for error-based port scanning and interaction with cloud metadata endpoints.
Defensive priority
Medium
Recommended defensive actions
- Restrict access to the can_create_images entitlement to only necessary users
- Implement additional network security controls to limit LXD's access to internal resources
- Monitor LXD logs for suspicious image import activities
- Apply patches or updates provided by Canonical as soon as possible
- Consider implementing compensating controls such as web application firewalls to detect and prevent SSRF attacks
Evidence notes
The CVE record was published on 2026-06-26T17:16:32.430Z and was last modified on 2026-07-06T18:14:53.080Z. The NVD entry is currently Analyzed. The vulnerability is described in the CVE record and additional details are provided in the references linked to the CVE record.
Official resources
-
CVE-2026-28385 CVE record
CVE.org
-
CVE-2026-28385 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch
-
Mitigation or vendor reference
[email protected] - Exploit, Vendor Advisory, Mitigation
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-26T17:16:32.430Z and has not been modified since then. The NVD entry is currently Analyzed.