{"id":"CVE-2026-27806","summary":"Fleet Affected by Local Privilege Escalation via Tcl Command Injection in Orbit","details":"Fleet is open source device management software. Prior to 4.81.1, the Orbit agent's FileVault disk encryption key rotation flow on collects a local user's password via a GUI dialog and interpolates it directly into a Tcl/expect script executed via exec.Command(\"expect\", \"-c\", script). Because the password is inserted into Tcl brace-quoted send {%s}, a password containing } terminates the literal and injects arbitrary Tcl commands. Since Orbit runs as root, this allows a local unprivileged user to escalate to root privileges. This vulnerability is fixed in 4.81.1.","aliases":["GHSA-rphv-h674-5hp2","GO-2026-5634"],"modified":"2026-07-08T07:46:53.603155415Z","published":"2026-04-08T17:40:24.119Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27806.json","cwe_ids":["CWE-78"],"cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27806.json"},{"type":"ADVISORY","url":"https://github.com/fleetdm/fleet/security/advisories/GHSA-rphv-h674-5hp2"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27806"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/fleetdm/fleet","events":[{"introduced":"0"},{"fixed":"729c324074c34d33e7f039991bdad05cef6c3b90"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"4.81.1"}],"source":["AFFECTED_FIELD","CPE_RANGE"],"cpe":"cpe:2.3:a:fleetdm:fleet:*:*:*:*:*:*:*:*"}}],"versions":["v4.81.0","fleet-v4.81.0","fleetctl-docker-deps-20260129","orbit-v1.51.0","fleetctl-docker-deps-20260113","fleetd-android-v1.0.0","fleetctl-docker-deps-v4.76.1","orbit-v1.50.0","orbit-v1.49.0","orbit-v1.48.0","orbit-v1.45.0","orbit-v1.43.0","orbit-v1.42.0","orbit-v1.41.0","rc-fleetctl-test-v4.63.0","tf-mod-addon-monitoring-v1.5.1","tf-mod-addon-monitoring-v1.5.0","tf-mod-addon-monitoring-v1.4.1","tf-mod-addon-ses-v1.2.0","fleetctl-docker-deps-v4.60.0","tf-mod-root-v1.9.2","tf-mod-byo-ecs-v1.8.1","tf-mod-addon-mdmproxy-v1.0.1","tf-mod-addon-saml-auth-proxy-v1.3.0","tf-mod-addon-ses-v1.1.0","tf-mod-root-v1.11.1","tf-mod-byo-vpc-v1.12.1","tf-mod-addon-waf-alb-v2.0.0","tf-mod-root-v1.11.0","tf-mod-byo-vpc-v1.12.0","tf-mod-byo-ecs-v1.8.0","tf-mod-byo-db-v1.9.0","tf-mod-addon-mdmproxy-v1.0.0","tf-mod-root-v1.10.0","tf-mod-byo-vpc-v1.11.0","tf-mod-byo-ecs-v1.7.0","tf-mod-byo-db-v1.8.0","tf-mod-addon-byo-kinesis-logging-destination-kinesis-v1.0.1","tf-mod-addon-byo-firehose-logging-destination-firehose-v2.0.3","tf-mod-addon-byo-firehose-logging-destination-firehose-v2.0.2","tf-mod-addon-osquery-carve-v1.1.0","tf-mod-addon-osquery-carve-split-account-split-account-v1.1.0","tf-mod-addon-osquery-carve-split-account-osquery-carve-v1.1.0","tf-mod-addon-byo-file-carving-v1.1.0","tf-mod-addon-byo-file-carving-target-account-v1.1.0","tf-mod-root-v1.9.1","tf-mod-byo-vpc-v1.10.1","tf-mod-byo-ecs-v1.6.1","tf-mod-byo-db-v1.7.1","tf-mod-root-v1.9.0","tf-mod-byo-vpc-v1.10.0","tf-mod-byo-ecs-v1.6.0","tf-mod-byo-db-v1.7.0","tf-mod-addon-external-vuln-scans-v2.2.0","fleet-v4.51.0","tf-mod-addon-byo-kinesis-logging-destination-target-account-v1.0.0","tf-mod-addon-byo-kinesis-logging-destination-kinesis-v1.0.0","fleet-v4.50.0","tf-mod-root-v1.8.0","tf-mod-byo-vpc-v1.9.0","tf-mod-byo-ecs-v1.5.0","tf-mod-byo-db-v1.6.0","tf-mod-addon-external-vuln-scans-v2.1.0","fleetd-chrome-v1.3.1","tf-mod-addon-byo-file-carving-v1.0.0","tf-mod-addon-byo-file-carving-target-account-v1.0.0","tf-mod-addon-monitoring-v1.4.0","fleetd-chrome-v1.3.0","fleet-v4.49.0","tf-mod-root-v1.7.3","tf-mod-byo-vpc-v1.8.3","tf-mod-addon-logging-destination-firehose-v1.1.1","fleet-v4.48.0","fleetd-chrome-v1.2.1-beta","tf-mod-root-v1.7.2","tf-mod-byo-vpc-v1.8.2","tf-mod-addon-saml-auth-proxy-v1.2.0","tf-mod-addon-monitoring-v1.3.0","tf-mod-addon-monitoring-v1.2.0","fleet-v4.47.0","tf-mod-addon-mdm-v2.0.0","tf-mod-addon-migrations-v2.0.1","tf-mod-addon-external-vuln-scans-v2.0.2","tf-mod-addon-osquery-carve-v1.0.1","fleet-v4.45.0","fleetd-chrome-v1.2.0-beta","fleetd-chrome-v1.2.0","tf-mod-addon-external-vuln-scans-v2.0.1","tf-mod-root-v1.7.1","tf-mod-byo-vpc-v1.8.1","tf-mod-byo-ecs-v1.4.1","tf-mod-byo-db-v1.5.1","tf-mod-addon-external-vuln-scans-v2.0.0","fleetd-chrome-v1.1.3-beta","fleetd-chrome-v1.1.3","v4.43.4","fleetd-chrome-v1.1.1-beta","fleet-v4.40.0","fleetd-chrome-v1.1.0-beta","fleet-v4.43.0","orbit-v1.20.0","tf-mod-root-v1.7.0","tf-mod-byo-vpc-v1.8.0","tf-mod-byo-db-v1.5.0","tf-mod-byo-db-v1.4.0","tf-mod-addon-migrations-v2.0.0","tf-mod-addon-mdm-v1.5.0","tf-mod-addon-geolite2-v1.0.0","fleet-v4.41.0","tf-mod-root-v1.6.1","tf-mod-byo-vpc-v1.7.1","tf-mod-byo-db-v1.3.2","tf-mod-addon-monitoring-v1.1.3","tf-mod-root-v1.6.0","tf-mod-byo-vpc-v1.7.0","tf-mod-addon-logging-destination-firehose-v1.1.0","tf-mod-addon-logging-alb-v1.2.0","orbit-v1.18.3","tf-mod-addon-monitoring-v1.1.2","orbit-v1.18.2","orbit-v1.18.0-RC","orbit-test-build","fleet-v4.39.0","tf-mod-addon-mdm-v1.4.1","tf-mod-addon-monitoring-v1.1.1","tf-mod-addon-monitoring-v1.1.0","tf-mod-root-v1.5.1","tf-mod-byo-vpc-v1.6.1","tf-mod-byo-db-v1.3.1","tf-mod-root-v1.5.0","tf-mod-byo-vpc-v1.6.0","tf-mod-addon-mdm-v1.4.0","tf-mod-addon-vuln-processing-v1.1.0","fleet-v4.38.0","tf-mod-root-v1.4.0","tf-mod-byo-vpc-v1.5.0","tf-mod-byo-ecs-v1.4.0","tf-mod-byo-db-v1.3.0","tf-mod-addon-saml-auth-proxy-v1.0.0","tf-mod-addon-saml-auth-proxy-v1.1.0","v4.36.0","orbit-v1.15.0","fleet-v4.36.0","orbit-v1.17.0","v4.37.0","fleet-v4.37.0","orbit-v1.16.0","orbit-v1.16.0-2","tf-mod-addon-mdm-v1.3.0","tf-mod-root-v1.3.0","tf-mod-byo-vpc-v1.4.0","tf-mod-byo-ecs-v1.3.0","tf-mod-byo-db-v1.2.0","tf-mod-root-v1.2.0","tf-mod-byo-vpc-v1.3.0","tf-mod-addon-external-vuln-scans-v1.0.0","orbit-v1.14.0","fleet-v4.35.0","tf-mod-addon-mdm-v1.2.2","tf-mod-addon-mdm-v1.2.1","tf-mod-addon-mdm-v1.2.0","tf-mod-byo-vpc-v1.2.0","tf-mod-byo-ecs-v1.2.0","orbit-v1.13.0","fleet-v4.34.0","orbit-v1.12.1","orbit-v1.12.0","tf-mod-root-v1.1.1","tf-mod-addon-byo-firehose-logging-destination-firehose-v2.0.1","fleet-v4.33.0","tf-mod-addon-logging-alb-v1.1.1","tf-mod-addon-logging-alb-v1.1.0","tf-mod-addon-byo-firehose-logging-destination-firehose-v2.0.0","tf-mod-addon-logging-alb-v1.0.2","tf-mod-addon-logging-alb-v1.0.1","orbit-v1.11.0","fleet-v4.32.0","tf-mod-root-v1.1.0","tf-mod-byo-vpc-v1.1.0","tf-mod-byo-ecs-v1.1.0","tf-mod-byo-db-v1.1.0","tf-mod-addon-waf-alb-v1.0.0","tf-mod-addon-vuln-processing-v1.0.0","tf-mod-addon-ses-v1.0.0","tf-mod-addon-osquery-perf-v1.0.0","tf-mod-addon-osquery-carve-v1.0.0","tf-mod-addon-osquery-carve-split-account-split-account-v1.0.0","tf-mod-addon-osquery-carve-split-account-osquery-carve-v1.0.0","tf-mod-addon-monitoring-v1.0.0","tf-mod-addon-mdm-v1.1.0","tf-mod-addon-logging-alb-v1.0.0","tf-mod-addon-byo-firehose-logging-destination-target-account-v1.1.0","tf-mod-addon-byo-firehose-logging-destination-firehose-v1.1.0","tf-mod-addon-bfldf-v1.1.0","fleet-v4.31.0","orbit-v1.10.0","fleet-v4.30.0","orbit-v1.9.1","v4.28.0","fleet-v4.28.0","orbit-v1.9.0","fleet-v4.29.0","tf-mod-addon-mdm-v1.0.0","orbit-v1.8.0","tf-mod-root-v1.0.0","tf-mod-byo-vpc-v1.0.0","tf-mod-byo-ecs-v1.0.0","tf-mod-byo-db-v1.0.0","tf-mod-addon-migrations-v1.0.0","tf-mod-addon-logging-destination-firehose-v1.0.0","tf-mod-addon-byo-firehose-logging-destination-target-account-v1.0.0","tf-mod-addon-byo-firehose-logging-destination-firehose-v1.0.0","orbit-v1.7.0","fleet-v4.27.0","fleet-v4.26.0","orbit-v1.5.0","fleet-v4.25.0","orbit-v1.4.1","fleet-v4.24.0","orbit-v1.4.0","orbit-v1.4.0-rc","fleet-v4.23.0","orbit-v1.3.0-rc","orbit-v1.3.0","fleet-v4.22.0","orbit-v1.2.0-rc1","fleet-v4.20.0","fleet-v4.19.0","orbit-v1.1.0","fleet-v4.18.0","fleet-v4.17.0","orbit-v1.0.0","fleet-v4.16.0","orbit-v0.0.13","fleet-v4.15.0","orbit-v0.0.12","orbit-v0.0.11","fleet-v4.14.0","orbit-v0.0.9","fleet-v4.13.0","fleet-v4.12.0","v0.0.7","orbit-v0.0.7","fleet-v4.11.0","fleet-v4.10.0","v0.0.6","orbit-v0.0.6","fleet-v4.8.0","v0.0.5","v0.0.4","orbit-v0.0.5","orbit-v0.0.4","fleet-v4.7.0","fleet-v4.6.1","fleet-v4.6.0","fleet-v4.5.0","fleet-v4.4.0","fleet-v4.3.1","fleet-v4.3.0","fleet-v4.2.2","fleet-v4.2.0","v4.1.0","v4.0.1","v4.0.0","v4.0.0-rc3","3.13.0","3.12.0","3.11.0","3.10.1","3.10.0","3.9.0","3.8.0","3.7.3","3.7.1","3.7.2","3.7.0","3.6.0","3.5.1","3.5.0","3.4.0","3.3.0","3.2.0","3.1.0","3.0.0","2.6.0","2.5.0","2.4.0","2.3.0","2.2.0","2.1.2","2.1.1","2.1.0","2.0.2","2.0.1","2.0.0","2.0.0-rc5","2.0.0-rc4","2.0.0-rc3","2.0.0-rc2","2.0.0-rc1","1.0.7","1.0.6","1.0.5","1.0.4","1.0.3","1.0.2","1.0.1","1.0.0","1.0.0-rc2","1.0.0-rc1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27806.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}