Skip to main content

EUVDEUVD-2026-20540

| CVE-2026-27806 HIGH
OS Command Injection (CWE-78)
2026-04-08 https://github.com/fleetdm/fleet GHSA-rphv-h674-5hp2
7.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch released
Apr 08, 2026 - 20:30 nvd
Patch available
EUVD ID Assigned
Apr 08, 2026 - 18:16 euvd
EUVD-2026-20540
Analysis Generated
Apr 08, 2026 - 18:16 vuln.today
CVE Published
Apr 08, 2026 - 18:03 nvd
HIGH 7.8

DescriptionGitHub Advisory

Summary

The Orbit agent's FileVault disk encryption key rotation flow on collects a local user's password via a GUI dialog and interpolates it directly into a Tcl/expect script executed via exec.Command("expect", "-c", script). Because the password is inserted into Tcl brace-quoted send {%s}, a password containing } terminates the literal and injects arbitrary Tcl commands. Since Orbit runs as root, this allows a local unprivileged user to escalate to root privileges.

CWE

  • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
  • CWE-94: Improper Control of Generation of Code ('Code Injection')

Impact

  • Local privilege escalation to root: Any unprivileged local user on a managed endpoint can execute arbitrary commands as root

Credit

This vulnerability was discovered and reported by bugbunny.ai.

AnalysisAI

Local privilege escalation to root in Fleet Orbit agent (macOS) allows authenticated local users to inject arbitrary Tcl commands via malformed FileVault password input. The vulnerability stems from unsafe interpolation of user-supplied passwords into expect scripts executed as root. CVSS 7.8 (High) with EPSS data unavailable; no public exploit identified at time of analysis, though exploitation requires only a specially crafted password containing closing brace characters. Impacts organizations using Fleet's macOS disk encryption management.

Technical ContextAI

Fleet Orbit is a cross-platform agent for the Fleet device management platform (pkg:go/github.com_fleetdm_fleet_v4). On macOS, Orbit manages FileVault disk encryption key rotation by prompting users for their password via GUI dialog, then using that password in an automated expect script to complete the rotation. The implementation uses Go's exec.Command to invoke expect with a dynamically constructed Tcl script containing the user password wrapped in Tcl brace-quoting: send {user_password}. Tcl brace-quoting is not escape-aware; a closing brace in the password string terminates the literal prematurely, allowing injection of arbitrary Tcl commands. Because Orbit runs with root privileges to perform system-level disk encryption operations, injected Tcl commands execute as root. This represents a classic CWE-78 OS command injection vulnerability compounded by CWE-94 code injection, where untrusted data (user password) flows directly into executable code context without sanitization or parameterization.

RemediationAI

Apply the vendor-released patch referenced in GitHub Security Advisory GHSA-rphv-h674-5hp2 at https://github.com/fleetdm/fleet/security/advisories/GHSA-rphv-h674-5hp2. Upgrade Fleet Orbit agent to the patched version specified in the advisory, which implements proper input sanitization or parameterization for expect script construction. Until patching is complete, consider disabling automated FileVault key rotation in Fleet and performing manual key escrow, or restrict Orbit deployment to trusted user environments only. Review audit logs for unexpected privilege escalation events or suspicious expect process invocations by Orbit. No effective workaround exists short of disabling the vulnerable feature, as the flaw is architectural in the password handling flow.

Share

EUVD-2026-20540 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy