{"id":"GHSA-rchw-322g-f7rm","summary":"osctrl is Vulnerable to OS Command Injection via Environment Configuration","details":"### Summary\nAn OS command injection vulnerability exists in the `osctrl-admin` environment configuration. An authenticated administrator can inject arbitrary shell commands via the hostname parameter when creating or editing environments. These commands are embedded into enrollment one-liner scripts generated using Go's `text/template` package (which does not perform shell escaping) and execute on every endpoint that enrolls using the compromised environment.\n\n### Impact\nAn attacker with administrator access can achieve remote code execution on every endpoint that enrolls using the compromised environment. Commands execute as root/SYSTEM (the privilege level used for osquery enrollment) before osquery is installed, leaving no agent-level audit trail. This enables backdoor installation, credential exfiltration, and full endpoint compromise.\n\n### Patches\nFixed in osctrl `v0.5.0`. Users should upgrade immediately.\n\n### Workarounds\nRestrict osctrl administrator access to trusted personnel. Review existing environment configurations for suspicious hostnames. Monitor enrollment scripts for unexpected commands.\n\n### Credits\n\nLeon Johnson and Kwangyun Keum from TikTok USDS JV Offensive Security Operations (Offensive Privacy Team)\n\nhttps://github.com/Kwangyun → @Kwangyun\nhttps://github.com/sho-luv → @sho-luv","aliases":["CVE-2026-28279","GO-2026-4579"],"modified":"2026-03-23T04:56:03.882983230Z","published":"2026-02-28T02:05:48Z","database_specific":{"github_reviewed":true,"cwe_ids":["CWE-78"],"severity":"HIGH","github_reviewed_at":"2026-02-28T02:05:48Z","nvd_published_at":"2026-02-26T23:16:37Z"},"references":[{"type":"WEB","url":"https://github.com/jmpsec/osctrl/security/advisories/GHSA-rchw-322g-f7rm"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28279"},{"type":"WEB","url":"https://github.com/jmpsec/osctrl/pull/777"},{"type":"WEB","url":"https://github.com/jmpsec/osctrl/pull/780"},{"type":"PACKAGE","url":"https://github.com/jmpsec/osctrl"}],"affected":[{"package":{"name":"github.com/jmpsec/osctrl","ecosystem":"Go","purl":"pkg:golang/github.com/jmpsec/osctrl"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.5.0"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-rchw-322g-f7rm/GHSA-rchw-322g-f7rm.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H"}]}