CVE-2026-34178
Published April 9, 2026 · Updated April 9, 2026
What This Means
CVE-2026-34178 is a critical vulnerability affecting Canonical LXD prior to version 6.8. It allows an authenticated remote attacker with instance-creation permissions to exploit a flaw in the backup import feature, bypassing project restrictions by using a manipulated backup.yaml file. To mitigate this risk, upgrade to LXD version 6.8 or later immediately and review current permissions and security configurations.
Official Description+
In Canonical LXD before 6.8, the backup import path validates project restrictions against backup/index.yaml in the supplied tar archive but creates the instance from backup/container/backup.yaml, a separate file in the same archive that is never checked against project restrictions. An authenticated remote attacker with instance-creation permission in a restricted project can craft a backup archive where backup.yaml carries restricted settings such as security.privileged=true or raw.lxc directives, bypassing all project restriction enforcement and allowing full host compromise.
Recommended Actions
- Check if your systems use any of the affected products listed above.
- Apply vendor patches immediately if available.
- Monitor vendor advisories for updates and additional mitigations.
- Review logs for indicators of compromise related to CVE-2026-34178.