Vulnerability Description
In Canonical LXD before 6.8, the backup import path validates project restrictions against backup/index.yaml in the supplied tar archive but creates the instance from backup/container/backup.yaml, a separate file in the same archive that is never checked against project restrictions. An authenticated remote attacker with instance-creation permission in a restricted project can craft a backup archive where backup.yaml carries restricted settings such as security.privileged=true or raw.lxc directives, bypassing all project restriction enforcement and allowing full host compromise.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Canonical | Lxd | >= 4.12, <= 5.0.6 |
Related Weaknesses (CWE)
References
- https://github.com/canonical/lxd/pull/17921Issue Tracking
- https://github.com/canonical/lxd/security/advisories/GHSA-q96j-3fmm-7fv4Third Party AdvisoryExploit
- https://github.com/canonical/lxd/security/advisories/GHSA-q96j-3fmm-7fv4Third Party AdvisoryExploit
FAQ
What is CVE-2026-34178?
CVE-2026-34178 is a vulnerability with a CVSS score of 9.1 (CRITICAL). In Canonical LXD before 6.8, the backup import path validates project restrictions against backup/index.yaml in the supplied tar archive but creates the instance from backup/container/backup.yaml, a s...
How severe is CVE-2026-34178?
CVE-2026-34178 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-34178?
Check the references section above for vendor advisories and patch information. Affected products include: Canonical Lxd.