CVE-2026-28385
MediumCVSS 5.0Exploitation Probability (EPSS)
Low risk7th percentile — higher than 7% of all known CVEs
Summary
In LXD versions 4.12 through 6.9, an SSRF vulnerability in the image import functionality allows authenticated users with can_create_images entitlement to interact with internal network infrastructure via the /images endpoint. The LXD daemon fails to validate outbound destination IP addresses, enabling connections to loopback, RFC1918 private ranges, and cloud metadata endpoints.
Risk Assessment
An attacker can perform error-based port scanning and unauthorized interaction with internal HTTP services from the daemon's network position, potentially leading to privilege escalation or data exfiltration from the internal network.
Recommendation
Upgrade LXD to version 6.10 or later, which includes a fix restricting allowed destination addresses for image imports. As a temporary workaround, restrict the can_create_images entitlement to trusted users only.
Original NVD description (English source)
In Canonical LXD versions 4.12 through 6.9, a Server-Side Request Forgery (SSRF) vulnerability in the image import functionality allows authenticated users with the can_create_images entitlement to interact with internal network infrastructure via the /images endpoint. When importing an image from a URL source, the LXD daemon fails to validate or restrict outbound destination IP addresses, allowing connections to loopback, RFC1918 private ranges, and cloud metadata endpoints. This enables error-based port scanning and unauthorized interaction with internal HTTP services from the daemon's network position.

