CRITICALCVE-2026-34179Published 2026-04-09Modified 2026-04-09CNA canonical

CVE-2026-34179: Update of type field in restricted TLS certificate allows privilege escalation to cluster admin

In Canonical LXD versions 4.12 through 6.7, the doCertificateUpdate function in lxd/certificates.go does not validate the Type field when handling PUT/PATCH requests to /1.0/certificates/{fingerprint} for restricted TLS certificate users, allowing a remote authenticated attacker to escalate privileges to cluster admin.

CVSS v3.1: 9.1
Severity: CRITICAL
Fixed in: 5.0.7
Affected Products: 1

Fix available

5.0.75.21.56.8.0

Patch commits

Improve validation on certificate edit

Affected packages

Canonical / lxd
< 5.0.7 (from 4.12.0) · < 5.21.5 (from 5.1.0) · < 6.8.0 (from 6.0.0)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

References

Update of type field in restricted TLS certificate allows privilege escalation to cluster admin
Improve validation on certificate edit

Metrics

Fix available