Publish GHSA-rphv-h674-5hp2

advisory-database[bot] · advisory-database[bot] · commit 779a16c685ea · 2026-04-08T18:05:48.000Z
diff --git a/advisories/github-reviewed/2026/04/GHSA-rphv-h674-5hp2/GHSA-rphv-h674-5hp2.json b/advisories/github-reviewed/2026/04/GHSA-rphv-h674-5hp2/GHSA-rphv-h674-5hp2.json
@@ -0,0 +1,57 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-rphv-h674-5hp2",
+  "modified": "2026-04-08T18:03:52Z",
+  "published": "2026-04-08T18:03:52Z",
+  "aliases": [
+    "CVE-2026-27806"
+  ],
+  "summary": "Fleet Affected by Local Privilege Escalation via Tcl Command Injection in Orbit",
+  "details": "## Summary\n\nThe Orbit agent's FileVault disk encryption key rotation flow on collects a local user's password via a GUI dialog and interpolates it directly into a Tcl/expect script executed via `exec.Command(\"expect\", \"-c\", script)`. Because the password is inserted into Tcl brace-quoted `send {%s}`, a password containing `}` terminates the literal and injects arbitrary Tcl commands. Since Orbit runs as root, this allows a local unprivileged user to escalate to root privileges.\n\n## CWE\n\n- **CWE-78**: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')\n- **CWE-94**: Improper Control of Generation of Code ('Code Injection')\n\n## Impact\n\n- Local privilege escalation to root: Any unprivileged local user on a managed endpoint can execute arbitrary commands as root\n\n## Credit\n\nThis vulnerability was discovered and reported by [bugbunny.ai](https://bugbunny.ai).",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/fleetdm/fleet/v4"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "4.81.1"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/fleetdm/fleet/security/advisories/GHSA-rphv-h674-5hp2"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/fleetdm/fleet"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-78"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-08T18:03:52Z",
+    "nvd_published_at": null
+  }
+}
