CVE-2026-28384
Received Received - Intake
Command Injection via Improper Sanitization in Canonical LXD API

Publication date: 2026-03-12

Last updated on: 2026-03-13

Assigner: Canonical Ltd.

Description
An improper sanitization of the compression_algorithm parameter in Canonical LXD allows an authenticated, unprivileged user to execute commands as the LXD daemon on the LXD server via API calls to the image and backup endpoints. This issue affected LXD from 4.12 through 6.6 and was fixed in the snap versions 5.0.6-e49d9f4 (channel 5.0/stable), 5.21.4-1374f39 (channel 5.21/stable), and 6.7-1f11451 (channel 6.0 stable). The channel 4.0/stable is not affected as it contains version 4.0.10.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-12
Last Modified
2026-03-13
Generated
2026-06-16
AI Q&A
2026-03-12
EPSS Evaluated
2026-06-15
NVD
CVE-2026-28384
EUVD
EUVD-2026-11585
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
canonical lxd From 4.12 (inc) to 6.6 (inc)
canonical lxd 5.0.6-e49d9f4
canonical lxd 5.21.4-1374f39
canonical lxd 6.7
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The recommended immediate mitigation is to upgrade the LXD snap to a fixed version that includes the patch for CVE-2026-28384.

  • Run the command: sudo snap refresh lxd

Ensure your LXD snap version is at least 5.0.6-e49d9f4 (5.0/stable), 5.21.4-1374f39 (5.21/stable), or 6.7-1f11451 (6.0 stable) to be protected against this vulnerability.

Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-28384 is a critical security vulnerability in Canonical LXD that arises from improper sanitization of the compression_algorithm parameter used in image and backup API endpoints.'}, {'type': 'paragraph', 'content': 'An authenticated but unprivileged user can exploit this flaw by injecting arbitrary commands through the compression_algorithm parameter, which is shell-parsed and executed by the LXD daemon with root privileges.'}, {'type': 'paragraph', 'content': 'The vulnerability exists because the compression_algorithm string is executed without strict validation, allowing attackers to run commands like bash -c "malicious_command" on the host system.'}, {'type': 'paragraph', 'content': 'This issue affects LXD versions from 4.12 through 6.6 and was fixed in later snap releases by implementing strict allowlist validation of compression algorithms and rejecting unsupported or potentially harmful inputs.'}] [3, 5]

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability allows an authenticated user with limited privileges to execute arbitrary commands as the LXD daemon, which runs as root, effectively leading to full host system compromise.'}, {'type': 'paragraph', 'content': 'Exploitation can result in container or virtual machine escape, lateral movement within clustered LXD environments, and breaches in multi-tenant shared setups.'}, {'type': 'paragraph', 'content': "Attackers can gain full control over the host's filesystem and memory, modify or delete data, and cause denial of service, impacting confidentiality, integrity, and availability at the highest levels."}, {'type': 'paragraph', 'content': 'The attack complexity is low, requiring only a single crafted API request with valid credentials and entitlements to create images or manage backups.'}] [3, 5]

Compliance Impact

I don't know

Detection Guidance

You can detect if your system is affected by checking the installed LXD snap version and revision against the fixed versions.

  • Run the command: snap list | grep lxd

Compare the installed version and revision with the fixed versions: 5.0.6-e49d9f4 (5.0/stable), 5.21.4-1374f39 (5.21/stable), and 6.7-1f11451 (6.0 stable). Versions from 4.12 through 6.6 are vulnerable.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28384. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart