Linuxfabrik Monitoring Plugins CVE-2026-55426
HIGHSeverity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attacker must already control the local nagios account (AV:L, PR:L) and injection is trivially reliable (AC:L); escalation to root yields full C/I/A impact.
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary
When a check plugin places user provided input inside a command which is passed to shell_exec, an attacker can abuse this to run arbitrary commands. This is mainly dangerous for plugins which are listed in the sudoers file, because this allows an attacker controlling the nagios user to get root privileges.
Details
An example for this is the restic-check plugin, where the --repo argument is placed inside the command argument of shell_exec. As an example, an attacker could use the --repo argument |touch /root/nagios-was-here|. The full restic command is assembled to the string restic --json --repo=|touch /root/nagios-was-here| --password-file= check before it is passed to shell_exec. shell_exec then splits the command up in three parts at the | boundaries and executes the parts separately, which also executes the embedded command touch /root/nagios-was-here.
PoC
This PoC shows how the nagios user can use this to create a file inside /root.
nagios@test-vm:/$ sudo /usr/lib64/nagios/plugins/restic-check --repo '|touch /root/nagios-was-here|'Impact
The vulnerability is a local privilege escalation.
Fix
Switch from | to an array
Remove the | split functionality. Instead, modify shell_exec to accept either a string or an array of strings. If an array is provided, the commands are chained together like they currently are when using |. If a string is provided, no split should be performed. You could also introduce a separate function like shell_exec_with_user_input() which implements this such that the current shell_exec function can stay like it is.
This leaves the problem that an attacker can still specify arbitrary arguments inside a command. An example for this would be to use the --repo argument sftp://example.com --cache-dir /tmp, which would lead to the execution of: restic --json --repo=sftp://example.com --cache-dir /tmp --password-file=None check. Please note that this example should mainly highlight the problem in general. To prevent the problem, there is either escaping or again array-syntax. Escaping would use shlex.quote to place the user provided argument inside quotes and which also escapes everything which needs to be escaped. Using array syntax would mean providing the full command as an array like ['restic', '--json', '--repo', 'sftp://example.com']. The array can then be given as-is to Popen. With this method, the proposed shell_exec_with_user_input would accept an array of array of strings.
Patches
The fix follows the array-syntax approach proposed above:
linuxfabrik-lib5.0.0:lib.shell.shell_exec()requires the command as a list of
arguments (argv) and always runs with shell=False. The | split functionality, command strings and the shell= parameter have been removed, so user-provided input can no longer break out of a command. lib.shell.safe_cli_value() additionally guards positional arguments (such as an ssh destination or a ping target) against option injection, and lib.ssh builds argument lists as well.
- Linuxfabrik Monitoring Plugins: all plugins assemble their external commands as argv lists
(commit 23bb570f4). Contained in every release after v5.2.0.
AnalysisAI
Local privilege escalation in Linuxfabrik Monitoring Plugins (and the underlying linuxfabrik-lib Python library) lets an attacker who already controls the low-privileged nagios account execute arbitrary OS commands, typically as root. The flaw stems from the library's shell_exec() helper splitting assembled command strings on the pipe (|) character, so user-controlled plugin arguments such as restic-check's --repo can inject additional commands. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local control of the nagios (or equivalent monitoring) user account and requires that a vulnerable plugin - the restic-check plugin is the demonstrated case - is invocable through the sudoers file so its command runs as root. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, base 7.8 High) is internally consistent and matches the description: local access, low complexity, low privileges (the nagios user), no user interaction, and full compromise of confidentiality, integrity, and availability once escalation to root occurs. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has gained code execution as the nagios monitoring user finds that the restic-check plugin is permitted via sudo. They invoke 'sudo /usr/lib64/nagios/plugins/restic-check --repo "|touch /root/nagios-was-here|"', and the injected command runs as root, as shown in the vendor's PoC. … |
| Remediation | Vendor-released patch: upgrade linuxfabrik-lib to 5.0.0 or later, where shell_exec() requires an argv list and always runs with shell=False, the | split logic and shell= parameter are removed, safe_cli_value() guards positional arguments against option injection, and lib.ssh builds argument lists as well. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all systems running Linuxfabrik Monitoring Plugins and verify nagios account privilege levels. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-798h-hpph-m24j