{"id":"CVE-2026-28385","summary":"SSRF via image import from URL allows internal network probing by authenticated users","details":"In Canonical LXD versions 4.12 through 6.9, a Server-Side Request Forgery (SSRF) vulnerability in the image import functionality allows authenticated users with the can_create_images entitlement to interact with internal network infrastructure via the /images endpoint. When importing an image from a URL source, the LXD daemon fails to validate or restrict outbound destination IP addresses, allowing connections to loopback, RFC1918 private ranges, and cloud metadata endpoints. This enables error-based port scanning and unauthorized interaction with internal HTTP services from the daemon's network position.","aliases":["GHSA-3gq2-x4qg-p4g6"],"modified":"2026-07-09T04:01:28.429024314Z","published":"2026-06-26T16:23:56.456Z","database_specific":{"cwe_ids":["CWE-918"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28385.json","unresolved_ranges":[{"extracted_events":[{"introduced":"6.0"},{"fixed":"6.10"}],"source":"AFFECTED_FIELD"}],"cna_assigner":"canonical"},"references":[{"type":"WEB","url":"https://github.com/canonical"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28385.json"},{"type":"ADVISORY","url":"https://github.com/canonical/lxd/security/advisories/GHSA-3gq2-x4qg-p4g6"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28385"},{"type":"FIX","url":"https://github.com/canonical/lxd/pull/18462"},{"type":"PACKAGE","url":"https://github.com/canonical/lxd"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/canonical/lxd","events":[{"introduced":"fb8480e2fec971a5edcdfd43c0b861355be90f1d"},{"fixed":"0dc5080834a2cde19536a849c56931f6acb067f7"}],"database_specific":{"extracted_events":[{"introduced":"4.12"},{"fixed":"6.9"},{"last_affected":"6.9"}],"cpe":"cpe:2.3:a:canonical:lxd:*:*:*:*:*:*:*:*","source":["DESCRIPTION","CPE_RANGE"]}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28385.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"}]}