Public March 2026
LXD Non-Recursive Certificate Listing Bypassed Visibility Checks
BugBunny.ai discovered that LXD’s GET /1.0/certificates endpoint filtered certificate access correctly in recursive mode but forgot to apply the same permission filter in the non-recursive path. Restricted trusted users could enumerate every certificate fingerprint in the trust store.
TL;DR
Authenticated restricted users can enumerate all trusted certificate fingerprints in a deployment.
Non-recursive GET /1.0/certificates requests made by any authenticated LXD identity.
LXD 6.6 deployments using certificate-based access control.
Published and fixed in LXD 6.7.
Root Cause
The handler built a permission checker and used it while constructing recursive responses, but the non-recursive branch later iterated over the original unfiltered certificate list when building plain URL output.
That divergence created an authorization bypass only in one response mode. It also stood out against five other LXD list endpoints that consistently filtered objects in both recursive and non-recursive code paths.
Product
LXD
Affected
6.6
Patched
6.7
Weaknesses
CWE-862: Missing Authorization
Mitigation
- Upgrade LXD to version 6.7 or later.
- Apply per-object authorization before branching into response-shape logic.
- Add tests that compare recursive and non-recursive listings for restricted users.
Credits & Disclosure
Published via GitHub Security Advisory GHSA-crmg-9m86-636r after coordinated disclosure with the LXD maintainers.