Public February 2026
LXD Shell-Parsed compression_algorithm Reached Host Command Execution
BugBunny.ai discovered that several LXD image and backup endpoints accepted a user-controlled compression_algorithm value that was later shell-parsed and executed on the host. An authenticated user with the relevant permissions could escalate that field into full host-level command execution.
TL;DR
Authenticated users with image or backup permissions can execute arbitrary commands on the LXD host.
Shell metacharacters embedded in compression_algorithm values for image and backup API endpoints.
LXD releases from 4.12 up to, but not including, 6.7.
CVE assigned during coordination; patched in LXD 6.7.
Root Cause
The vulnerable endpoints accepted compression_algorithm as a plain string and later flowed it into command execution without restricting the value to a safe allowlist. LXD therefore treated a shell-sensitive parameter as though it were a benign enum.
Because the resulting commands ran on the host rather than inside an isolated container context, successful injection crossed directly into host compromise. The permissions needed were not admin-only, which made the reachable blast radius much larger in shared deployments.
Product
LXD
Affected
>= 4.12
Patched
6.7
Weaknesses
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Mitigation
- Upgrade LXD to version 6.7 or later.
- Treat compression algorithm names as enumerated values and reject anything outside a strict allowlist.
- Audit other API parameters that are forwarded into host-side command execution helpers.
Credits & Disclosure
CVE-2026-28384 was assigned during coordinated disclosure based on GitHub Security Advisory GHSA-4rmf-rcp8-2r9g.