{"id":"UBUNTU-CVE-2025-54286","details":"Cross-Site Request Forgery (CSRF) in LXD-UI in Canonical LXD versions \u003e= 5.0 on Linux allows an attacker to create and start container instances without user consent via crafted HTML form submissions exploiting client certificate authentication.","modified":"2025-12-09T07:53:57.432176Z","published":"2025-10-02T10:15:00Z","withdrawn":"2025-12-09T05:17:11Z","upstream":["CVE-2025-54286"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2025-54286"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2025-54286"},{"type":"REPORT","url":"https://github.com/canonical/lxd/security/advisories/GHSA-p8hw-rfjg-689h"}],"affected":[{"package":{"name":"lxd","ecosystem":"Ubuntu:Pro:16.04:LTS","purl":"pkg:deb/ubuntu/lxd@2.0.11-0ubuntu1~16.04.4+esm1?arch=source&distro=esm-infra/xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["0.20-0ubuntu4","0.21-0ubuntu3","0.21-0ubuntu5","0.22-0ubuntu1","0.22-0ubuntu2","0.23-0ubuntu1","0.23-0ubuntu2","0.23-0ubuntu3","0.24-0ubuntu2","0.24-0ubuntu3","0.24-0ubuntu4","0.25-0ubuntu1","0.26-0ubuntu2","0.26-0ubuntu3","0.27-0ubuntu1","0.27-0ubuntu2","2.0.0~beta1-0ubuntu3","2.0.0~beta1-0ubuntu4","2.0.0~beta2-0ubuntu1","2.0.0~beta2-0ubuntu2","2.0.0~beta3-0ubuntu1","2.0.0~beta3-0ubuntu2","2.0.0~beta3-0ubuntu3","2.0.0~beta3-0ubuntu4","2.0.0~beta4-0ubuntu1","2.0.0~beta4-0ubuntu2","2.0.0~beta4-0ubuntu3","2.0.0~beta4-0ubuntu4","2.0.0~beta4-0ubuntu5","2.0.0~beta4-0ubuntu6","2.0.0~beta4-0ubuntu7","2.0.0~rc1-0ubuntu1","2.0.0~rc1-0ubuntu2","2.0.0~rc1-0ubuntu3","2.0.0~rc2-0ubuntu2","2.0.0~rc2-0ubuntu3","2.0.0~rc3-0ubuntu1","2.0.0~rc3-0ubuntu2","2.0.0~rc3-0ubuntu3","2.0.0~rc3-0ubuntu4","2.0.0~rc4-0ubuntu1","2.0.0~rc5-0ubuntu1","2.0.0~rc6-0ubuntu1","2.0.0~rc6-0ubuntu2","2.0.0~rc7-0ubuntu1","2.0.0~rc7-0ubuntu2","2.0.0~rc8-0ubuntu1","2.0.0~rc8-0ubuntu2","2.0.0~rc8-0ubuntu3","2.0.0~rc8-0ubuntu5","2.0.0~rc8-0ubuntu6","2.0.0~rc8-0ubuntu7","2.0.0~rc9-0ubuntu2","2.0.0~rc9-0ubuntu3","2.0.0~rc9-0ubuntu4","2.0.0~rc9-0ubuntu5","2.0.0-0ubuntu1","2.0.0-0ubuntu2","2.0.0-0ubuntu3","2.0.0-0ubuntu4","2.0.1-0ubuntu1~16.04.1","2.0.2-0ubuntu1~16.04.1","2.0.3-0ubuntu1~ubuntu16.04.2","2.0.4-0ubuntu1~ubuntu16.04.1","2.0.5-0ubuntu1~ubuntu16.04.1","2.0.8-0ubuntu1~ubuntu16.04.1","2.0.8-0ubuntu1~ubuntu16.04.2","2.0.9-0ubuntu1~16.04.1","2.0.9-0ubuntu1~16.04.2","2.0.10-0ubuntu1~16.04.1","2.0.10-0ubuntu1~16.04.2","2.0.11-0ubuntu1~16.04.2","2.0.11-0ubuntu1~16.04.4","2.0.11-0ubuntu1~16.04.4+esm1"],"ecosystem_specific":{"binaries":[{"binary_name":"golang-github-lxc-lxd-dev","binary_version":"2.0.11-0ubuntu1~16.04.4+esm1"},{"binary_name":"lxc2","binary_version":"2.0.11-0ubuntu1~16.04.4+esm1"},{"binary_name":"lxd","binary_version":"2.0.11-0ubuntu1~16.04.4+esm1"},{"binary_name":"lxd-client","binary_version":"2.0.11-0ubuntu1~16.04.4+esm1"},{"binary_name":"lxd-tools","binary_version":"2.0.11-0ubuntu1~16.04.4+esm1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-54286.json"}},{"package":{"name":"lxd","ecosystem":"Ubuntu:Pro:18.04:LTS","purl":"pkg:deb/ubuntu/lxd@3.0.3-0ubuntu1~18.04.2+esm1?arch=source&distro=esm-infra/bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.18-0ubuntu6","2.19-0ubuntu1","2.20-0ubuntu3","2.20-0ubuntu4","2.21-0ubuntu1","2.21-0ubuntu2","2.21-0ubuntu3","2.21-0ubuntu4","3.0.0~beta2-0ubuntu3","3.0.0~beta3-0ubuntu3","3.0.0~beta5-0ubuntu2","3.0.0~beta7-0ubuntu1","3.0.0-0ubuntu1","3.0.0-0ubuntu2","3.0.0-0ubuntu3","3.0.0-0ubuntu4","3.0.1-0ubuntu1~18.04.1","3.0.2-0ubuntu1~18.04.1","3.0.3-0ubuntu1~18.04.1","3.0.3-0ubuntu1~18.04.2","3.0.3-0ubuntu1~18.04.2+esm1"],"ecosystem_specific":{"binaries":[{"binary_name":"lxd","binary_version":"3.0.3-0ubuntu1~18.04.2+esm1"},{"binary_name":"lxd-client","binary_version":"3.0.3-0ubuntu1~18.04.2+esm1"},{"binary_name":"lxd-tools","binary_version":"3.0.3-0ubuntu1~18.04.2+esm1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-54286.json"}},{"package":{"name":"lxd","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/lxd@1:0.10?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1:0.7","1:0.8","1:0.9","1:0.10"],"ecosystem_specific":{"binaries":[{"binary_name":"lxd","binary_version":"1:0.10"},{"binary_name":"lxd-client","binary_version":"1:0.10"},{"binary_name":"lxd-tools","binary_version":"1:0.10"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-54286.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}]}