Skip to main content

CFEngine EUVDEUVD-2026-30276

| CVE-2026-24712 HIGH
Command Injection (CWE-77)
2026-05-14 mitre GHSA-mcq4-jrhv-99mg
7.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Analysis Generated
May 15, 2026 - 15:22 vuln.today
CVSS changed
May 15, 2026 - 15:22 NVD
7.3 (None) 7.3 (HIGH)
CVE Published
May 14, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Northern.tech CFEngine Enterprise and Community before 3.21.8, 3.24.3, and 3.27.0 allows Command injection.

AnalysisAI

Command injection in CFEngine Enterprise and Community editions before versions 3.21.8, 3.24.3, and 3.27.0 enables remote unauthenticated attackers to execute arbitrary commands on the system. The vulnerability has an EPSS score of 0.15% indicating relatively low exploitation probability, and no public exploit identified at time of analysis. SSVC framework rates this as automatable with total technical impact, suggesting high potential severity if exploited.

Technical ContextAI

CFEngine is a configuration management and automation framework used for managing IT infrastructure at scale. The vulnerability is classified as CWE-77 (Improper Neutralization of Special Elements used in a Command), indicating that user-controlled input is passed to system commands without proper sanitization. This affects both the open-source Community edition and commercial Enterprise edition across multiple version branches (3.21.x, 3.24.x, and 3.27.x lines).

RemediationAI

Upgrade CFEngine to version 3.21.8 or later for the 3.21.x branch, version 3.24.3 or later for the 3.24.x branch, or version 3.27.0 or later for the 3.27.x branch. Consult the vendor advisory at https://cfengine.com/blog/2026/cve-2026-24710-and-cve-2026-24711-and-cve-2026-24712/ for detailed upgrade instructions. If immediate patching is not possible, implement network segmentation to restrict access to CFEngine servers from untrusted networks, and monitor CFEngine logs for suspicious command execution patterns. Consider temporarily disabling any CFEngine features that accept external input if they are not business-critical.

Share

EUVD-2026-30276 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy