CVE-2026-3351: lxd's non-recursive certificate listing bypasses per-object authorization and leaks all fingerprints

March 4, 2026

The GET /1.0/certificates endpoint (non-recursive mode) returns URLs containing fingerprints for all certificates in the trust store, bypassing the per-object can_view authorization check that is correctly applied in the recursive path. Any authenticated identity — including restricted, non-admin users — can enumerate all certificate fingerprints, exposing the full set of trusted identities in the LXD deployment.

References

github.com/advisories/GHSA-crmg-9m86-636r
github.com/canonical/lxd
github.com/canonical/lxd/commit/d936c90d47cf0be1e9757df897f769e9887ebde1
github.com/canonical/lxd/pull/17738
github.com/canonical/lxd/security/advisories/GHSA-crmg-9m86-636r
nvd.nist.gov/vuln/detail/CVE-2026-3351

Code Behaviors & Features

Detect and mitigate CVE-2026-3351 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →