Vulnerabilities
Vulnerable Software

Vulnerability Details CVE-2026-28385

In Canonical LXD versions 4.12 through 6.9, a Server-Side Request Forgery (SSRF) vulnerability in the image import functionality allows authenticated users with the can_create_images entitlement to interact with internal network infrastructure via the /images endpoint. When importing an image from a URL source, the LXD daemon fails to validate or restrict outbound destination IP addresses, allowing connections to loopback, RFC1918 private ranges, and cloud metadata endpoints. This enables error-based port scanning and unauthorized interaction with internal HTTP services from the daemon's network position.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 6.8%
CVSS Severity
CVSS v3 Score 5.0
Products affected by CVE-2026-28385
  • Canonical » Lxd » Version: 4.12
    cpe:2.3:a:canonical:lxd:4.12
  • Canonical » Lxd » Version: 4.13
    cpe:2.3:a:canonical:lxd:4.13
  • Canonical » Lxd » Version: 4.14
    cpe:2.3:a:canonical:lxd:4.14
  • Canonical » Lxd » Version: 4.15
    cpe:2.3:a:canonical:lxd:4.15
  • Canonical » Lxd » Version: 4.16
    cpe:2.3:a:canonical:lxd:4.16
  • Canonical » Lxd » Version: 4.17
    cpe:2.3:a:canonical:lxd:4.17
  • Canonical » Lxd » Version: 4.18
    cpe:2.3:a:canonical:lxd:4.18
  • Canonical » Lxd » Version: 4.19
    cpe:2.3:a:canonical:lxd:4.19
  • Canonical » Lxd » Version: 4.20
    cpe:2.3:a:canonical:lxd:4.20
  • Canonical » Lxd » Version: 4.21
    cpe:2.3:a:canonical:lxd:4.21
  • Canonical » Lxd » Version: 4.22
    cpe:2.3:a:canonical:lxd:4.22
  • Canonical » Lxd » Version: 4.23
    cpe:2.3:a:canonical:lxd:4.23
  • Canonical » Lxd » Version: 4.24
    cpe:2.3:a:canonical:lxd:4.24
  • Canonical » Lxd » Version: 5.0.0
    cpe:2.3:a:canonical:lxd:5.0.0
  • Canonical » Lxd » Version: 5.0.1
    cpe:2.3:a:canonical:lxd:5.0.1
  • Canonical » Lxd » Version: 5.0.2
    cpe:2.3:a:canonical:lxd:5.0.2
  • Canonical » Lxd » Version: 5.0.3
    cpe:2.3:a:canonical:lxd:5.0.3
  • Canonical » Lxd » Version: 5.0.4
    cpe:2.3:a:canonical:lxd:5.0.4
  • Canonical » Lxd » Version: 5.0.5
    cpe:2.3:a:canonical:lxd:5.0.5
  • Canonical » Lxd » Version: 5.0.6
    cpe:2.3:a:canonical:lxd:5.0.6
  • Canonical » Lxd » Version: 5.0.7
    cpe:2.3:a:canonical:lxd:5.0.7
  • Canonical » Lxd » Version: 5.1
    cpe:2.3:a:canonical:lxd:5.1
  • Canonical » Lxd » Version: 5.10
    cpe:2.3:a:canonical:lxd:5.10
  • Canonical » Lxd » Version: 5.11
    cpe:2.3:a:canonical:lxd:5.11
  • Canonical » Lxd » Version: 5.12
    cpe:2.3:a:canonical:lxd:5.12
  • Canonical » Lxd » Version: 5.13
    cpe:2.3:a:canonical:lxd:5.13
  • Canonical » Lxd » Version: 5.14
    cpe:2.3:a:canonical:lxd:5.14
  • Canonical » Lxd » Version: 5.15
    cpe:2.3:a:canonical:lxd:5.15
  • Canonical » Lxd » Version: 5.16
    cpe:2.3:a:canonical:lxd:5.16
  • Canonical » Lxd » Version: 5.17
    cpe:2.3:a:canonical:lxd:5.17
  • Canonical » Lxd » Version: 5.18
    cpe:2.3:a:canonical:lxd:5.18
  • Canonical » Lxd » Version: 5.19
    cpe:2.3:a:canonical:lxd:5.19
  • Canonical » Lxd » Version: 5.2
    cpe:2.3:a:canonical:lxd:5.2
  • Canonical » Lxd » Version: 5.20
    cpe:2.3:a:canonical:lxd:5.20
  • Canonical » Lxd » Version: 5.21.0
    cpe:2.3:a:canonical:lxd:5.21.0
  • Canonical » Lxd » Version: 5.21.1
    cpe:2.3:a:canonical:lxd:5.21.1
  • Canonical » Lxd » Version: 5.21.2
    cpe:2.3:a:canonical:lxd:5.21.2
  • Canonical » Lxd » Version: 5.21.3
    cpe:2.3:a:canonical:lxd:5.21.3
  • Canonical » Lxd » Version: 5.21.4
    cpe:2.3:a:canonical:lxd:5.21.4
  • Canonical » Lxd » Version: 5.21.5
    cpe:2.3:a:canonical:lxd:5.21.5
  • Canonical » Lxd » Version: 5.3
    cpe:2.3:a:canonical:lxd:5.3
  • Canonical » Lxd » Version: 5.4
    cpe:2.3:a:canonical:lxd:5.4
  • Canonical » Lxd » Version: 5.5
    cpe:2.3:a:canonical:lxd:5.5
  • Canonical » Lxd » Version: 5.6
    cpe:2.3:a:canonical:lxd:5.6
  • Canonical » Lxd » Version: 5.7
    cpe:2.3:a:canonical:lxd:5.7
  • Canonical » Lxd » Version: 5.8
    cpe:2.3:a:canonical:lxd:5.8
  • Canonical » Lxd » Version: 5.9
    cpe:2.3:a:canonical:lxd:5.9
  • Canonical » Lxd » Version: 6.0
    cpe:2.3:a:canonical:lxd:6.0
  • Canonical » Lxd » Version: 6.1
    cpe:2.3:a:canonical:lxd:6.1
  • Canonical » Lxd » Version: 6.2
    cpe:2.3:a:canonical:lxd:6.2
  • Canonical » Lxd » Version: 6.3
    cpe:2.3:a:canonical:lxd:6.3
  • Canonical » Lxd » Version: 6.4
    cpe:2.3:a:canonical:lxd:6.4
  • Canonical » Lxd » Version: 6.5
    cpe:2.3:a:canonical:lxd:6.5
  • Canonical » Lxd » Version: 6.6
    cpe:2.3:a:canonical:lxd:6.6
  • Canonical » Lxd » Version: 6.7
    cpe:2.3:a:canonical:lxd:6.7
  • Canonical » Lxd » Version: 6.8
    cpe:2.3:a:canonical:lxd:6.8
  • Canonical » Lxd » Version: 6.9
    cpe:2.3:a:canonical:lxd:6.9


Contact Us

Shodan ® - All rights reserved