{"id":"GHSA-rphv-h674-5hp2","summary":"Fleet Affected by Local Privilege Escalation via Tcl Command Injection in Orbit","details":"## Summary\n\nThe Orbit agent's FileVault disk encryption key rotation flow on collects a local user's password via a GUI dialog and interpolates it directly into a Tcl/expect script executed via `exec.Command(\"expect\", \"-c\", script)`. Because the password is inserted into Tcl brace-quoted `send {%s}`, a password containing `}` terminates the literal and injects arbitrary Tcl commands. Since Orbit runs as root, this allows a local unprivileged user to escalate to root privileges.\n\n## CWE\n\n- **CWE-78**: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')\n- **CWE-94**: Improper Control of Generation of Code ('Code Injection')\n\n## Impact\n\n- Local privilege escalation to root: Any unprivileged local user on a managed endpoint can execute arbitrary commands as root\n\n## Credit\n\nThis vulnerability was discovered and reported by [bugbunny.ai](https://bugbunny.ai).","aliases":["CVE-2026-27806"],"modified":"2026-04-08T18:17:08.685110Z","published":"2026-04-08T18:03:52Z","database_specific":{"nvd_published_at":null,"cwe_ids":["CWE-78"],"severity":"HIGH","github_reviewed":true,"github_reviewed_at":"2026-04-08T18:03:52Z"},"references":[{"type":"WEB","url":"https://github.com/fleetdm/fleet/security/advisories/GHSA-rphv-h674-5hp2"},{"type":"PACKAGE","url":"https://github.com/fleetdm/fleet"}],"affected":[{"package":{"name":"github.com/fleetdm/fleet/v4","ecosystem":"Go","purl":"pkg:golang/github.com/fleetdm/fleet/v4"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"4.81.1"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-rphv-h674-5hp2/GHSA-rphv-h674-5hp2.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}