Cyber Resilience

CVE-2026-27208

CriticalLPE

Published: 24 February 2026

Published
24 February 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score v3.1 9.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:H
EPSS Score 0.0066 46.6th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-27208 is a critical-severity OS Command Injection (CWE-78) vulnerability in Bleon-Ethical Api-Gateway-Deploy. Its CVSS base score is 9.2 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked at the 46.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2026-27208 affects version 1.0.0 of bleon-ethical/api-gateway-deploy, an API gateway deployment tool. The vulnerability is an attack chain combining OS command injection (CWE-78, CWE-88) with privilege escalation (CWE-250, CWE-269), stemming from improper input handling and execution of commands as root within the container. It carries a CVSS v3.1 base score of 9.2 (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:H), highlighting its critical severity due to high impact on confidentiality, availability, and scope change.

A local attacker with no privileges required can exploit this vulnerability with low complexity and no user interaction. Successful exploitation enables execution of arbitrary commands with root privileges inside the container, potentially leading to container escape and unauthorized modifications to the underlying infrastructure.

The vulnerability is addressed in version 1.0.1 through strict input sanitization, secure delimiters in entrypoint.sh, enforcement of a non-root user (appuser) in the Dockerfile, and mandatory security quality gates. Details are available in the GitHub security advisory (GHSA-chh5-w73q-4gmm) and release notes at the Security tag.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

bleon-ethical/api-gateway-deploy provides API gateway deployment. Version 1.0.0 is vulnerable to an attack chain involving OS Command Injection and Privilege Escalation. This allows an attacker to execute arbitrary commands with root privileges within the container, potentially leading to a container escape…

more

and unauthorized infrastructure modifications. This is fixed in version 1.0.1 by implementing strict input sanitization and secure delimiters in entrypoint.sh, enforcing a non-root user (appuser) in the Dockerfile, and establishing mandatory security quality gates.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

CVE enables OS command injection for Unix Shell execution (T1059.004) and privilege escalation to root privileges inside the container (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-26318Shared CWE-78
CVE-2024-49563Shared CWE-78
CVE-2026-42924Shared CWE-78
CVE-2025-66209Shared CWE-78
CVE-2026-34937Shared CWE-78
CVE-2025-27394Shared CWE-78
CVE-2023-37937Shared CWE-78
CVE-2025-24378Shared CWE-78
CVE-2025-24380Shared CWE-78
CVE-2025-70329Shared CWE-78

Affected Assets

bleon-ethical
api-gateway-deploy
1.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses OS command injection by requiring strict validation and sanitization of inputs to prevent arbitrary command execution.

prevent

Mitigates privilege escalation by enforcing least privilege, such as running container processes as a non-root user like appuser instead of root.

prevent

Ensures secure configuration settings in the Dockerfile and entrypoint.sh, including secure delimiters and mandatory security quality gates.

References