Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-28385— SSRF via image import from URL allows internal network probing by authenticated users

CVSS 5.0 · Medium EPSS 0.17% · P7

Affected Version Matrix 1

VendorProductVersion RangeStatus
Canonicallxd6.0< 6.10affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-28385

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
SSRF via image import from URL allows internal network probing by authenticated users
Source: NVD (National Vulnerability Database)
Vulnerability Description
In Canonical LXD versions 4.12 through 6.9, a Server-Side Request Forgery (SSRF) vulnerability in the image import functionality allows authenticated users with the can_create_images entitlement to interact with internal network infrastructure via the /images endpoint. When importing an image from a URL source, the LXD daemon fails to validate or restrict outbound destination IP addresses, allowing connections to loopback, RFC1918 private ranges, and cloud metadata endpoints. This enables error-based port scanning and unauthorized interaction with internal HTTP services from the daemon's network position.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
服务端请求伪造(SSRF)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Canonical LXD 服务端请求伪造漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Canonical LXD是英国Canonical公司开源的一款基于Linux系统用于管理应用程序的容器。 Canonical LXD存在服务端请求伪造漏洞,该漏洞源于图片导入功能存在服务端请求伪造漏洞,导致LXD守护进程未能验证或限制出站目标IP地址,允许与内网基础设施进行交互。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
Canonicallxd 6.0 ~ 6.10 -

II. Public POCs for CVE-2026-28385

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-28385

登录查看更多情报信息。

Patches & Fixes for CVE-2026-28385 (1)

Vendor Advisories for CVE-2026-28385 (1)

Same Patch Batch · Canonical · 2026-06-26 · 4 CVEs total

CVE-2026-124118.4 HIGHBroken Access Control in Canonical LXD DevLXD API
CVE-2026-96407.2 HIGHLXD Snapshot Import Privilege Escalation Vulnerability
CVE-2026-96396.5 MEDIUMAuthenticated Denial of Service via Malicious Backup Tarball in LXD

IV. Related Vulnerabilities

V. Comments for CVE-2026-28385

No comments yet


Leave a comment