Skip to main content

Linuxfabrik Monitoring Plugins CVE-2026-55426

HIGH
OS Command Injection (CWE-78)
2026-07-06 https://github.com/Linuxfabrik/monitoring-plugins GHSA-798h-hpph-m24j
7.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Attacker must already control the local nagios account (AV:L, PR:L) and injection is trivially reliable (AC:L); escalation to root yields full C/I/A impact.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 06, 2026 - 22:00 vuln.today
CVE Published
Jul 06, 2026 - 21:13 github-advisory
HIGH 7.8

DescriptionGitHub Advisory

Summary

When a check plugin places user provided input inside a command which is passed to shell_exec, an attacker can abuse this to run arbitrary commands. This is mainly dangerous for plugins which are listed in the sudoers file, because this allows an attacker controlling the nagios user to get root privileges.

Details

An example for this is the restic-check plugin, where the --repo argument is placed inside the command argument of shell_exec. As an example, an attacker could use the --repo argument |touch /root/nagios-was-here|. The full restic command is assembled to the string restic --json --repo=|touch /root/nagios-was-here| --password-file= check before it is passed to shell_exec. shell_exec then splits the command up in three parts at the | boundaries and executes the parts separately, which also executes the embedded command touch /root/nagios-was-here.

PoC

This PoC shows how the nagios user can use this to create a file inside /root.

nagios@test-vm:/$ sudo /usr/lib64/nagios/plugins/restic-check --repo '|touch /root/nagios-was-here|'

Impact

The vulnerability is a local privilege escalation.

Fix

Switch from | to an array

Remove the | split functionality. Instead, modify shell_exec to accept either a string or an array of strings. If an array is provided, the commands are chained together like they currently are when using |. If a string is provided, no split should be performed. You could also introduce a separate function like shell_exec_with_user_input() which implements this such that the current shell_exec function can stay like it is.

This leaves the problem that an attacker can still specify arbitrary arguments inside a command. An example for this would be to use the --repo argument sftp://example.com --cache-dir /tmp, which would lead to the execution of: restic --json --repo=sftp://example.com --cache-dir /tmp --password-file=None check. Please note that this example should mainly highlight the problem in general. To prevent the problem, there is either escaping or again array-syntax. Escaping would use shlex.quote to place the user provided argument inside quotes and which also escapes everything which needs to be escaped. Using array syntax would mean providing the full command as an array like ['restic', '--json', '--repo', 'sftp://example.com']. The array can then be given as-is to Popen. With this method, the proposed shell_exec_with_user_input would accept an array of array of strings.

Patches

The fix follows the array-syntax approach proposed above:

  • linuxfabrik-lib 5.0.0: lib.shell.shell_exec() requires the command as a list of

arguments (argv) and always runs with shell=False. The | split functionality, command strings and the shell= parameter have been removed, so user-provided input can no longer break out of a command. lib.shell.safe_cli_value() additionally guards positional arguments (such as an ssh destination or a ping target) against option injection, and lib.ssh builds argument lists as well.

  • Linuxfabrik Monitoring Plugins: all plugins assemble their external commands as argv lists

(commit 23bb570f4). Contained in every release after v5.2.0.

AnalysisAI

Local privilege escalation in Linuxfabrik Monitoring Plugins (and the underlying linuxfabrik-lib Python library) lets an attacker who already controls the low-privileged nagios account execute arbitrary OS commands, typically as root. The flaw stems from the library's shell_exec() helper splitting assembled command strings on the pipe (|) character, so user-controlled plugin arguments such as restic-check's --repo can inject additional commands. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Gain nagios user access
Delivery
Identify sudo-enabled Linuxfabrik plugin
Exploit
Craft --repo with |command| payload
Install
Invoke plugin via sudo
C2
shell_exec splits on pipe
Execute
Injected command runs as root
Impact
Full host compromise

Vulnerability AssessmentAI

Exploitation Exploitation requires local control of the nagios (or equivalent monitoring) user account and requires that a vulnerable plugin - the restic-check plugin is the demonstrated case - is invocable through the sudoers file so its command runs as root. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, base 7.8 High) is internally consistent and matches the description: local access, low complexity, low privileges (the nagios user), no user interaction, and full compromise of confidentiality, integrity, and availability once escalation to root occurs. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has gained code execution as the nagios monitoring user finds that the restic-check plugin is permitted via sudo. They invoke 'sudo /usr/lib64/nagios/plugins/restic-check --repo "|touch /root/nagios-was-here|"', and the injected command runs as root, as shown in the vendor's PoC. …
Remediation Vendor-released patch: upgrade linuxfabrik-lib to 5.0.0 or later, where shell_exec() requires an argv list and always runs with shell=False, the | split logic and shell= parameter are removed, safe_cli_value() guards positional arguments against option injection, and lib.ssh builds argument lists as well. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all systems running Linuxfabrik Monitoring Plugins and verify nagios account privilege levels. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-55426 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy