GHSA-rphv-h674-5hp2
Suggest an improvement- Source
- https://github.com/advisories/GHSA-rphv-h674-5hp2
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-rphv-h674-5hp2/GHSA-rphv-h674-5hp2.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-rphv-h674-5hp2
- Aliases
-
- CVE-2026-27806
- Published
- 2026-04-08T18:03:52Z
- Modified
- 2026-04-08T18:17:08.685110Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Fleet Affected by Local Privilege Escalation via Tcl Command Injection in Orbit
- Details
-
Summary
The Orbit agent's FileVault disk encryption key rotation flow on collects a local user's password via a GUI dialog and interpolates it directly into a Tcl/expect script executed via
exec.Command("expect", "-c", script). Because the password is inserted into Tcl brace-quotedsend {%s}, a password containing}terminates the literal and injects arbitrary Tcl commands. Since Orbit runs as root, this allows a local unprivileged user to escalate to root privileges.CWE
- CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
- CWE-94: Improper Control of Generation of Code ('Code Injection')
Impact
- Local privilege escalation to root: Any unprivileged local user on a managed endpoint can execute arbitrary commands as root
Credit
This vulnerability was discovered and reported by bugbunny.ai.
- Database specific
{ "nvd_published_at": null, "severity": "HIGH", "github_reviewed": true, "cwe_ids": [ "CWE-78" ], "github_reviewed_at": "2026-04-08T18:03:52Z" }- References
Affected packages
Go / github.com/fleetdm/fleet/v4
Package
- Name
- github.com/fleetdm/fleet/v4
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/fleetdm/fleet/v4