CVE-2026-27806
Published: 08 April 2026
Summary
CVE-2026-27806 is a high-severity OS Command Injection (CWE-78) vulnerability in Fleetdm Fleet. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents command injection by validating and sanitizing the user password input before interpolating it into the Tcl/expect script.
Ensures timely remediation of the specific command injection flaw through patching to Orbit agent version 4.81.1 or later.
Limits the impact of successful command injection by enforcing least privilege on the root-running Orbit agent process.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local unprivileged user exploits command injection in root-running Orbit agent (Tcl/expect script) during FileVault key rotation to execute arbitrary commands, directly enabling T1068 Exploitation for Privilege Escalation.
NVD Description
Fleet is open source device management software. Prior to 4.81.1, the Orbit agent's FileVault disk encryption key rotation flow on collects a local user's password via a GUI dialog and interpolates it directly into a Tcl/expect script executed via exec.Command("expect",…
more
"-c", script). Because the password is inserted into Tcl brace-quoted send {%s}, a password containing } terminates the literal and injects arbitrary Tcl commands. Since Orbit runs as root, this allows a local unprivileged user to escalate to root privileges. This vulnerability is fixed in 4.81.1.
Deeper analysisAI
CVE-2026-27806 is a command injection vulnerability (CWE-78) in Fleet, an open source device management software. It affects the Orbit agent prior to version 4.81.1, specifically in the FileVault disk encryption key rotation flow. The agent collects a local user's password via a GUI dialog and interpolates it directly into a Tcl/expect script executed with exec.Command("expect", "-c", script). Due to the use of Tcl brace-quoted send {%s}, a password containing a closing brace "}" terminates the literal early, enabling injection of arbitrary Tcl commands. The vulnerability has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local unprivileged user can exploit this during the key rotation process by entering a password that includes a "}" character, followed by malicious Tcl commands. Since the Orbit agent runs as root, successful exploitation allows the attacker to execute arbitrary commands with root privileges, achieving full privilege escalation on the affected system.
The Fleet security advisory at https://github.com/fleetdm/fleet/security/advisories/GHSA-rphv-h674-5hp2 confirms the issue and states that it is fixed in Orbit agent version 4.81.1. Security practitioners should update to this version or later to mitigate the vulnerability.
Details
- CWE(s)