Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS1ycGh2LWg2NzQtNWhwMs4ABU8T

High CVSS: 7.8 EPSS: 0.00012% (0.01818 Percentile) EPSS:
Permalink JSON

Fleet Affected by Local Privilege Escalation via Tcl Command Injection in Orbit

Affected Packages Affected Versions Fixed Versions
go:github.com/fleetdm/fleet/v4
PURL: pkg:go/github.com%2Ffleetdm%2Ffleet%2Fv4
< 4.81.1 4.81.1
1 Dependent packages
6 Dependent repositories

Affected Version Ranges

All affected versions

v4.0.0, v4.0.0-rc1, v4.0.0-rc2, v4.0.0-rc3, v4.0.1, v4.1.0, v4.28.0, v4.36.0, v4.37.0, v4.43.4, v4.46.0, v4.73.3, v4.75.0, v4.75.2, v4.76.0, v4.76.2, v4.77.0, v4.77.1, v4.78.0, v4.78.1, v4.78.2, v4.78.3, v4.79.0, v4.79.1, v4.80.0, v4.80.1, v4.80.2, v4.80.3, v4.81.0

All unaffected versions

v4.81.1, v4.81.2, v4.81.3, v4.82.0, v4.82.1, v4.82.2, v4.83.0

Summary

The Orbit agent's FileVault disk encryption key rotation flow on collects a local user's password via a GUI dialog and interpolates it directly into a Tcl/expect script executed via exec.Command("expect", "-c", script). Because the password is inserted into Tcl brace-quoted send {%s}, a password containing } terminates the literal and injects arbitrary Tcl commands. Since Orbit runs as root, this allows a local unprivileged user to escalate to root privileges.

CWE

  • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
  • CWE-94: Improper Control of Generation of Code ('Code Injection')

Impact

  • Local privilege escalation to root: Any unprivileged local user on a managed endpoint can execute arbitrary commands as root

Credit

This vulnerability was discovered and reported by bugbunny.ai.

References:

Identifiers

GHSA-rphv-h674-5hp2

CVE-2026-27806

Risk

Severity

High

CVSS

CVSS Score: 7.8

CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

EPSS Percentage: 0.00012

EPSS Percentile: 0.01818

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Date and time

Published

3 days ago

Updated

about 16 hours ago

API

JSON