CVE-2026-27806HIGHCVSS 7.8

Fleet Affected by Local Privilege Escalation via Tcl Command Injection in Orbit

Published Apr 8, 2026·Updated Jun 26, 2026

Description

## Summary The Orbit agent's FileVault disk encryption key rotation flow on collects a local user's password via a GUI dialog and interpolates it directly into a Tcl/expect script executed via `exec.Command("expect", "-c", script)`. Because the password is inserted into Tcl brace-quoted `send {%s}`, a password containing `}` terminates the literal and injects arbitrary Tcl commands. Since Orbit runs as root, this allows a local unprivileged user to escalate to root privileges. ## CWE - **CWE-78**: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - **CWE-94**: Improper Control of Generation of Code ('Code Injection') ## Impact - Local privilege escalation to root: Any unprivileged local user on a managed endpoint can execute arbitrary commands as root ## Credit This vulnerability was discovered and reported by [bugbunny.ai](https://bugbunny.ai).

Affected Packages (1)

github.com/fleetdm/fleet/v4GO
Fixed in 4.81.1

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

View on NVD Search GitHub Search Google

Get alerted for CVEs like this

Register your stack and get notified within minutes when a matching CVE drops.

Start monitoring free