CVE-2026-34179

CriticalPublic PoC

Published: 09 April 2026

Published

09 April 2026

Modified

22 April 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0011 29.3th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

In Canonical LXD versions 4.12 through 6.7, the doCertificateUpdate function in lxd/certificates.go does not validate the Type field when handling PUT/PATCH requests to /1.0/certificates/{fingerprint} for restricted TLS certificate users, allowing a remote authenticated attacker to escalate privileges to cluster admin.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates the lack of validation on the Type field in PUT/PATCH requests to the certificates endpoint, preventing crafted inputs from enabling privilege escalation.

AC-3 Access Enforcement good match

prevent

Enforces access control policies to restrict unauthorized modifications to certificate attributes like Type, blocking escalation from restricted TLS users to cluster admin.

AC-6 Least Privilege good match

prevent

Implements least privilege to ensure restricted TLS certificate users cannot escalate privileges via certificate updates, limiting impact of improper validation.

Security SummaryAI

CVE-2026-34179 is a privilege escalation vulnerability in Canonical LXD versions 4.12 through 6.7. The issue resides in the doCertificateUpdate function within lxd/certificates.go, which does not validate the Type field during PUT/PATCH requests to the /1.0/certificates/{fingerprint} endpoint for users authenticated via restricted TLS certificates. This improper validation, tied to CWE-915, enables attackers to manipulate certificate attributes inappropriately.

A remote authenticated attacker possessing restricted TLS certificate privileges can exploit this vulnerability with low complexity over the network. By sending a crafted PUT/PATCH request, they can escalate their access to cluster administrator level, achieving high confidentiality, integrity, and availability impacts across the changed scope, as indicated by the CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

Canonical has addressed the issue via a patch in https://github.com/canonical/lxd/pull/17936. Additional details on the vulnerability and remediation are provided in the GitHub Security Advisory at https://github.com/canonical/lxd/security/advisories/GHSA-c3h3-89qf-jqm5. Security practitioners should apply the patch and review access controls for TLS certificate users in LXD clusters.

Details

CWE(s): CWE-915

Affected Products

canonical

lxd

4.12 — 5.0.6 · 5.21.0 — 5.21.4 · 6.0 — 6.7

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

The vulnerability is a privilege escalation exploit in LXD's certificate update API, allowing restricted TLS users to elevate to cluster administrator privileges via crafted PUT/PATCH requests, directly enabling T1068: Exploitation for Privilege Escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/canonical/lxd/pull/17936
Issue Tracking, Patch · security@ubuntu.com
https://github.com/canonical/lxd/security/advisories/GHSA-c3h3-89qf-jqm5
Third Party Advisory, Exploit · security@ubuntu.com
https://github.com/canonical/lxd/security/advisories/GHSA-c3h3-89qf-jqm5
Third Party Advisory, Exploit · 134c704f-9b21-4f2e-91b3-4a467353bcc0