Skip to main content

Linuxfabrik monitoring-plugins CVE-2026-52817

HIGH
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') (CWE-88)
2026-07-02 https://github.com/Linuxfabrik/monitoring-plugins GHSA-8w6w-23mq-h8rg
Share

Severity by source

vuln.today AI
7.8 HIGH

Local escalation requiring prior control of the nagios user (PR:L), no interaction, and a one-line deterministic PoC (AC:L) yielding full root (C/I/A:H).

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Estimated by vuln.today — no official severity rating has been published for this CVE yet.

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 20:50 vuln.today

DescriptionCVE.org

Summary

In the Debian.sudoers file, apt-get is allowed for the nagios user. The full command including the arguments are not enforced and can therefore be choosen arbitrarily. This allows to easily get a root shell as the nagios user:

PoC

By choosing a particular argument, you can get (as a nagios user) a root shell:

sudo apt-get update -o APT::Update::Pre-Invoke::="/bin/sh"

Since the nagious user can use sudo to run apt-get as root, the resulting shell is also running as root.

Impact

The vulnerability is a local privilege escalation, impacting users who use the provided sudoers file. It requires that an attacker already compromised the nagios account (which is quite a high barrier to be honest).

Fix

Since only one place where apt-get is currently used (in deb-updates) was found, it should be enough to allow only the specific arguments used there.

Here an example how the line in the sudoers file could look like:

                    /usr/lib64/nagios/plugins/strongswan-connections,\
                    /usr/lib64/nagios/plugins/systemd-unit,\
                    /usr/bin/apt-get update --quiet 2

AnalysisAI

Local privilege escalation in Linuxfabrik monitoring-plugins arises from the shipped Debian.sudoers file, which grants the nagios user passwordless sudo to apt-get without constraining arguments (CWE-88 argument injection). Any attacker who already controls the nagios account can run 'sudo apt-get update -o APT::Update::Pre-Invoke::=/bin/sh' to spawn a root shell. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Compromise nagios account
Exploit
Invoke sudo apt-get with -o Pre-Invoke
Execution
apt-get runs shell command as root
Impact
Obtain interactive root shell

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target host has installed the provided Debian.sudoers file granting the nagios user passwordless sudo to apt-get, AND that the attacker has already obtained execution as the nagios user - this prior-compromise requirement is the principal limiting factor, as stated by the reporter. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS vector, EPSS score, KEV listing, or SSVC decision data was provided, so quantitative signals are absent and severity must be inferred from the description. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has already compromised the nagios service account - for example via a vulnerable monitoring check, a leaked SSH key, or a foothold on the host - runs 'sudo apt-get update -o APT::Update::Pre-Invoke::="/bin/sh"', which apt-get executes as root before performing the update, dropping the attacker into an interactive root shell. A working PoC is published in the vendor advisory, making exploitation trivial and reliable once the nagios account is held.
Remediation The primary fix is to replace the permissive 'apt-get' sudoers entry with a fully-qualified command line matching only the arguments the suite actually uses, i.e. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running Linuxfabrik monitoring-plugins and verify whether the vulnerable Debian.sudoers file is present. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-52817 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy