CVE-2026-28384 is an OS command injection vulnerability classified under CWE-78, discovered in Canonical's LXD container management software. The flaw exists due to improper neutralization of special elements in the compression_algorithm parameter used in API calls to image and backup endpoints. This parameter is not correctly sanitized, allowing an authenticated user with limited privileges to inject and execute arbitrary OS commands as the LXD daemon user on the server. The vulnerability affects LXD versions from 4.12 up to 6.6, excluding the 4.0/stable channel which contains version 4.0.10 and is not vulnerable. Exploitation does not require user interaction and can be performed remotely over the network, given authentication. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no user interaction, and privileges required but with high impact on confidentiality, integrity, and availability. The vulnerability could allow attackers to escalate privileges, manipulate container images or backups, and potentially compromise the host system. Canonical has released patches in specific snap channels (5.0/stable, 5.21/stable, and 6.0 stable) to address the issue. No known exploits in the wild have been reported yet, but the critical severity and ease of exploitation make timely patching essential.

The impact of CVE-2026-28384 is severe for organizations using vulnerable LXD versions. Successful exploitation allows an authenticated, unprivileged user to execute arbitrary commands with the privileges of the LXD daemon, which typically has elevated rights on the host system. This can lead to full system compromise, including unauthorized access to sensitive data, disruption of containerized services, and potential lateral movement within the network. Since LXD is widely used in cloud environments, data centers, and development infrastructures, this vulnerability poses a significant risk to confidentiality, integrity, and availability of critical systems. Organizations relying on containerization for application deployment and isolation may face service outages, data breaches, and compliance violations if exploited. The lack of required user interaction and network accessibility of the API further increase the threat level.

To mitigate CVE-2026-28384, organizations should immediately upgrade affected LXD installations to the patched versions provided by Canonical: snap versions 5.0.6-e49d9f4 (5.0/stable), 5.21.4-1374f39 (5.21/stable), or 6.7-1f11451 (6.0 stable). Until patches are applied, restrict access to the LXD API endpoints, especially image and backup interfaces, to trusted and authenticated users only. Implement strict network segmentation and firewall rules to limit exposure of the LXD API to internal networks or management VLANs. Employ strong authentication mechanisms and monitor API usage for unusual or unauthorized commands. Additionally, review and harden container host configurations to minimize daemon privileges and isolate container workloads. Regularly audit container and host logs for signs of exploitation attempts. Consider deploying runtime security tools that can detect anomalous command execution within container environments. Finally, maintain an up-to-date inventory of LXD versions in use to ensure timely patch management.