Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.4
LXD API allows authenticated users to run arbitrary commands on the server
CVE-2026-28384
Summary
An authenticated user can take control of the LXD server by making specific API calls, which could allow them to access sensitive data or disrupt the server's operation. This issue has been fixed in LXD versions 5.0.6 and later, and users should update their LXD installation to the latest available version to prevent exploitation.
Original title
An improper sanitization of the compression_algorithm parameter in Canonical LXD allows an authenticated, unprivileged user to execute commands as the LXD daemon on the LXD server via API calls to ...
Original description
An improper sanitization of the compression_algorithm parameter in Canonical LXD allows an authenticated, unprivileged user to execute commands as the LXD daemon on the LXD server via API calls to the image and backup endpoints. This issue affected LXD from 4.12 through 6.6 and was fixed in the snap versions 5.0.6-e49d9f4 (channel 5.0/stable), 5.21.4-1374f39 (channel 5.21/stable), and 6.7-1f11451 (channel 6.0 stable). The channel 4.0/stable is not affected as it contains version 4.0.10.
nvd CVSS4.0
9.4
Vulnerability type
CWE-78
OS Command Injection
- https://discourse.ubuntu.com/t/lxd-authenticated-remote-code-execution-fixes-ava...
- https://github.com/canonical/lxd/commit/043696a13171ace7dd4c2b32d34ce039ab629052
- https://github.com/canonical/lxd/commit/7046979645c2ce1b63b2f9e60ddf6cbc4c4b78f9
- https://github.com/canonical/lxd/commit/b7b411caf5c4971bfe2386c72128f44d7e2aaf4f
- https://github.com/canonical/lxd/security/advisories/GHSA-4rmf-rcp8-2r9g
Published: 12 Mar 2026 · Updated: 14 Mar 2026 · First seen: 12 Mar 2026