Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
Northern.tech CFEngine Enterprise and Community before 3.21.8, 3.24.3, and 3.27.0 allows Command injection.
AnalysisAI
Command injection in CFEngine Enterprise and Community editions before versions 3.21.8, 3.24.3, and 3.27.0 enables remote unauthenticated attackers to execute arbitrary commands on the system. The vulnerability has an EPSS score of 0.15% indicating relatively low exploitation probability, and no public exploit identified at time of analysis. SSVC framework rates this as automatable with total technical impact, suggesting high potential severity if exploited.
Technical ContextAI
CFEngine is a configuration management and automation framework used for managing IT infrastructure at scale. The vulnerability is classified as CWE-77 (Improper Neutralization of Special Elements used in a Command), indicating that user-controlled input is passed to system commands without proper sanitization. This affects both the open-source Community edition and commercial Enterprise edition across multiple version branches (3.21.x, 3.24.x, and 3.27.x lines).
RemediationAI
Upgrade CFEngine to version 3.21.8 or later for the 3.21.x branch, version 3.24.3 or later for the 3.24.x branch, or version 3.27.0 or later for the 3.27.x branch. Consult the vendor advisory at https://cfengine.com/blog/2026/cve-2026-24710-and-cve-2026-24711-and-cve-2026-24712/ for detailed upgrade instructions. If immediate patching is not possible, implement network segmentation to restrict access to CFEngine servers from untrusted networks, and monitor CFEngine logs for suspicious command execution patterns. Consider temporarily disabling any CFEngine features that accept external input if they are not business-critical.
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30276
GHSA-mcq4-jrhv-99mg