CVE-2026-27806

HIGH7.8EPSS 0.01%

Fleet Affected by Local Privilege Escalation via Tcl Command Injection in Orbit

Published: 4/8/2026Modified: 4/8/2026

Description

## Summary The Orbit agent's FileVault disk encryption key rotation flow on collects a local user's password via a GUI dialog and interpolates it directly into a Tcl/expect script executed via `exec.Command("expect", "-c", script)`. Because the password is inserted into Tcl brace-quoted `send {%s}`, a password containing `}` terminates the literal and injects arbitrary Tcl commands. Since Orbit runs as root, this allows a local unprivileged user to escalate to root privileges. ## CWE - **CWE-78**: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - **CWE-94**: Improper Control of Generation of Code ('Code Injection') ## Impact - Local privilege escalation to root: Any unprivileged local user on a managed endpoint can execute arbitrary commands as root ## Credit This vulnerability was discovered and reported by [bugbunny.ai](https://bugbunny.ai).

Affected packages (1)

Go/github.com/fleetdm/fleet/v4from 0, < 4.81.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.8	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

Affected packages (1)

CVSS scores

References (2)