GHSA-rchw-322g-f7rm

Source

https://github.com/advisories/GHSA-rchw-322g-f7rm

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-rchw-322g-f7rm/GHSA-rchw-322g-f7rm.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-rchw-322g-f7rm

Aliases

CVE-2026-28279

Published

2026-02-28T02:05:48Z

Modified

2026-02-28T06:27:52.386861Z

Severity

7.3 (High) CVSS_V3 - CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H CVSS Calculator

Summary

osctrl is Vulnerable to OS Command Injection via Environment Configuration

Details

Summary

An OS command injection vulnerability exists in the osctrl-admin environment configuration. An authenticated administrator can inject arbitrary shell commands via the hostname parameter when creating or editing environments. These commands are embedded into enrollment one-liner scripts generated using Go's text/template package (which does not perform shell escaping) and execute on every endpoint that enrolls using the compromised environment.

Impact

An attacker with administrator access can achieve remote code execution on every endpoint that enrolls using the compromised environment. Commands execute as root/SYSTEM (the privilege level used for osquery enrollment) before osquery is installed, leaving no agent-level audit trail. This enables backdoor installation, credential exfiltration, and full endpoint compromise.

Patches

Fixed in osctrl v0.5.0. Users should upgrade immediately.

Workarounds

Restrict osctrl administrator access to trusted personnel. Review existing environment configurations for suspicious hostnames. Monitor enrollment scripts for unexpected commands.

Credits

Leon Johnson and Kwangyun Keum from TikTok USDS JV Offensive Security Operations (Offensive Privacy Team)

https://github.com/Kwangyun → @Kwangyun https://github.com/sho-luv → @sho-luv

Database specific

{
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-78"
    ],
    "github_reviewed_at": "2026-02-28T02:05:48Z",
    "nvd_published_at": "2026-02-26T23:16:37Z"
}

References

Affected packages

Go / github.com/jmpsec/osctrl

Package

Name: github.com/jmpsec/osctrl; View open source insights on deps.dev
Purl: pkg:golang/github.com/jmpsec/osctrl

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.5.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-rchw-322g-f7rm/GHSA-rchw-322g-f7rm.json"