{"uuid":"GSA_kwCzR0hTQS1ycGh2LWg2NzQtNWhwMs4ABU8T","url":"https://github.com/advisories/GHSA-rphv-h674-5hp2","title":"Fleet Affected by Local Privilege Escalation via Tcl Command Injection in Orbit","description":"## Summary\n\nThe Orbit agent's FileVault disk encryption key rotation flow on collects a local user's password via a GUI dialog and interpolates it directly into a Tcl/expect script executed via `exec.Command(\"expect\", \"-c\", script)`. Because the password is inserted into Tcl brace-quoted `send {%s}`, a password containing `}` terminates the literal and injects arbitrary Tcl commands. Since Orbit runs as root, this allows a local unprivileged user to escalate to root privileges.\n\n## CWE\n\n- **CWE-78**: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')\n- **CWE-94**: Improper Control of Generation of Code ('Code Injection')\n\n## Impact\n\n- Local privilege escalation to root: Any unprivileged local user on a managed endpoint can execute arbitrary commands as root\n\n## Credit\n\nThis vulnerability was discovered and reported by [bugbunny.ai](https://bugbunny.ai).","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2026-04-08T18:03:52.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":7.8,"cvss_vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","references":["https://github.com/fleetdm/fleet/security/advisories/GHSA-rphv-h674-5hp2","https://github.com/advisories/GHSA-rphv-h674-5hp2"],"source_kind":"github","identifiers":["GHSA-rphv-h674-5hp2","CVE-2026-27806"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-04-08T19:00:08.613Z","updated_at":"2026-04-10T16:00:14.510Z","epss_percentage":0.00012,"epss_percentile":0.01818,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1ycGh2LWg2NzQtNWhwMs4ABU8T","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS1ycGh2LWg2NzQtNWhwMs4ABU8T","packages":[{"ecosystem":"go","package_name":"github.com/fleetdm/fleet/v4","versions":[{"first_patched_version":"4.81.1","vulnerable_version_range":"\u003c 4.81.1"}],"purl":"pkg:go/github.com%2Ffleetdm%2Ffleet%2Fv4"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1ycGh2LWg2NzQtNWhwMs4ABU8T/related_packages","related_advisories":[]}