CVE-2026-34179
Published: 09 April 2026
Summary
CVE-2026-34179 is a critical-severity Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915) vulnerability in Canonical Lxd. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 30.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the lack of validation on the Type field in PUT/PATCH requests to the certificates endpoint, preventing crafted inputs from enabling privilege escalation.
Enforces access control policies to restrict unauthorized modifications to certificate attributes like Type, blocking escalation from restricted TLS users to cluster admin.
Implements least privilege to ensure restricted TLS certificate users cannot escalate privileges via certificate updates, limiting impact of improper validation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a privilege escalation exploit in LXD's certificate update API, allowing restricted TLS users to elevate to cluster administrator privileges via crafted PUT/PATCH requests, directly enabling T1068: Exploitation for Privilege Escalation.
NVD Description
In Canonical LXD versions 4.12 through 6.7, the doCertificateUpdate function in lxd/certificates.go does not validate the Type field when handling PUT/PATCH requests to /1.0/certificates/{fingerprint} for restricted TLS certificate users, allowing a remote authenticated attacker to escalate privileges to cluster admin.
Deeper analysisAI
CVE-2026-34179 is a privilege escalation vulnerability in Canonical LXD versions 4.12 through 6.7. The issue resides in the doCertificateUpdate function within lxd/certificates.go, which does not validate the Type field during PUT/PATCH requests to the /1.0/certificates/{fingerprint} endpoint for users authenticated via restricted TLS certificates. This improper validation, tied to CWE-915, enables attackers to manipulate certificate attributes inappropriately.
A remote authenticated attacker possessing restricted TLS certificate privileges can exploit this vulnerability with low complexity over the network. By sending a crafted PUT/PATCH request, they can escalate their access to cluster administrator level, achieving high confidentiality, integrity, and availability impacts across the changed scope, as indicated by the CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
Canonical has addressed the issue via a patch in https://github.com/canonical/lxd/pull/17936. Additional details on the vulnerability and remediation are provided in the GitHub Security Advisory at https://github.com/canonical/lxd/security/advisories/GHSA-c3h3-89qf-jqm5. Security practitioners should apply the patch and review access controls for TLS certificate users in LXD clusters.
Details
- CWE(s)