{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27806", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-24T02:31:33.267Z", "datePublished": "2026-04-08T17:40:24.119Z", "dateUpdated": "2026-04-08T17:40:24.119Z"}, "containers": {"cna": {"title": "Fleet Affected by Local Privilege Escalation via Tcl Command Injection in Orbit", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/fleetdm/fleet/security/advisories/GHSA-rphv-h674-5hp2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/fleetdm/fleet/security/advisories/GHSA-rphv-h674-5hp2"}], "affected": [{"vendor": "fleetdm", "product": "fleet", "versions": [{"version": "< 4.81.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T17:40:24.119Z"}, "descriptions": [{"lang": "en", "value": "Fleet is open source device management software. Prior to 4.81.1, the Orbit agent's FileVault disk encryption key rotation flow on collects a local user's password via a GUI dialog and interpolates it directly into a Tcl/expect script executed via exec.Command(\"expect\", \"-c\", script). Because the password is inserted into Tcl brace-quoted send {%s}, a password containing } terminates the literal and injects arbitrary Tcl commands. Since Orbit runs as root, this allows a local unprivileged user to escalate to root privileges. This vulnerability is fixed in 4.81.1."}], "source": {"advisory": "GHSA-rphv-h674-5hp2", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Fleet is open source device management software. Prior to 4.81.1, the Orbit agent's FileVault disk encryption key rotation flow on collects a local user's password via a GUI dialog and interpolates it directly into a Tcl/expect script executed via exec.Command(\"expect\", \"-c\", script). Because the password is inserted into Tcl brace-quoted send {%s}, a password containing } terminates the literal and injects arbitrary Tcl commands. Since Orbit runs as root, this allows a local unprivileged user to escalate to root privileges. This vulnerability is fixed in 4.81.1."}], "id": "CVE-2026-27806", "lastModified": "2026-04-08T19:25:13.543", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-08T19:25:13.543", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/fleetdm/fleet/security/advisories/GHSA-rphv-h674-5hp2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.81.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "fleet", "source": "cna", "vendor": "fleetdm"}, "product": "fleet", "vendor": "fleetdm"}], "analysis": {"en": {"generated_at": "2026-04-08T19:36:33.804299+00:00", "value": {"mitigation_remediation": ["Upgrade Fleet to version 4.81.1 or later to apply the fix for the Orbit agent.", "Confirm that all managed devices are running the patched version of the Orbit agent.", "Restrict local user access to the device or privilege level if the agent cannot be updated immediately.", "Stay informed of further advisories from fleetdm and monitor the project\u2019s official release notes for additional security patches."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation to Root"}, "threat_synthesis": {"affected_systems": "The defect impacts the open\u2011source Fleet project, specifically the Orbit agent component. All releases before version 4.81.1 of Fleet are vulnerable. This includes devices running any Fleet release from 4.0 up through 4.81.0, as the FileVault rotation functionality existed unchanged until the patch. The issue is confined to environments where the Orbit agent executes as root and a local user can trigger the password dialog.", "description_and_impact": "An application\u2011layer flaw in the Orbit agent of Fleet device management software allows a local user to inject arbitrary Tcl commands. During the FileVault key rotation flow, a GUI prompt captures a user\u2019s password and inserts it directly into a Tcl/expect script. Because the password is embedded inside a Tcl brace\u2011quoted string, an input that contains a closing brace prematurely terminates the literal and permits the execution of arbitrary Tcl commands. Since Orbit runs as root, the attacker can run commands with elevated privileges, effectively gaining full root access. This vulnerability is categorized as CWE\u201178, a code\u2011execution flaw caused by unsanitized input.", "risk_and_exploitability": "With a CVSS v3.1 score of 7.8, the vulnerability is considered high severity. The EPSS score is unavailable, but the advisory notes that exploitation requires local access to the device and the ability to invoke the Disk\u2011Encryption key rotation routine. A local attacker can simply trigger this action from the Fleet interface or via command line. Because the agent runs as root, the impact is a complete system compromise, providing the attacker with persistence, data exfiltration, and potential lateral movement within the managed environment. The vulnerability is not listed in the CISA KEV catalog, indicating no known widespread exploitation yet."}}}}, "created": "2026-04-08T19:33:16.723960+00:00", "updated": "2026-04-08T19:38:53.814246+00:00", "vendors": ["fleetdm", "fleetdm$PRODUCT$fleet"]}