CVE-2026-28279
Published: 26 February 2026
Summary
CVE-2026-28279 is a high-severity OS Command Injection (CWE-78) vulnerability in Jmpsec Osctrl. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 45.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-5 (Access Restrictions for Change) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-28279 is an OS command injection vulnerability in osctrl, an osquery management solution, affecting versions prior to 0.5.0. The flaw resides in the osctrl-admin environment configuration, where the hostname parameter used during environment creation or editing allows injection of arbitrary shell commands. These commands are embedded into enrollment one-liner scripts generated via Go's text/template package, which lacks shell escaping, leading to execution on endpoints during enrollment.
An authenticated administrator can exploit this vulnerability to achieve remote code execution on every endpoint that enrolls using the compromised environment. The injected commands execute as root or SYSTEM privileges before osquery installation, bypassing agent-level audit trails. This enables attackers to install backdoors, exfiltrate credentials, and fully compromise endpoints. Exploitation requires administrator privileges, adjacent network access, high attack complexity, and user interaction, as reflected in the CVSS v3.1 score of 7.3 (AV:A/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H), and is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command).
The vulnerability is fixed in osctrl version 0.5.0. Advisories recommend restricting osctrl administrator access to trusted personnel, reviewing existing environment configurations for suspicious hostnames, and monitoring enrollment scripts for unexpected commands as workarounds. Details are available in the GitHub security advisory (GHSA-rchw-322g-f7rm) and related pull requests #777 and #780.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8922
Vulnerability details
osctrl is an osquery management solution. Prior to version 0.5.0, an OS command injection vulnerability exists in the `osctrl-admin` environment configuration. An authenticated administrator can inject arbitrary shell commands via the hostname parameter when creating or editing environments. These commands…
more
are embedded into enrollment one-liner scripts generated using Go's `text/template` package (which does not perform shell escaping) and execute on every endpoint that enrolls using the compromised environment. An attacker with administrator access can achieve remote code execution on every endpoint that enrolls using the compromised environment. Commands execute as root/SYSTEM (the privilege level used for osquery enrollment) before osquery is installed, leaving no agent-level audit trail. This enables backdoor installation, credential exfiltration, and full endpoint compromise. This is fixed in osctrl `v0.5.0`. As a workaround, restrict osctrl administrator access to trusted personnel, review existing environment configurations for suspicious hostnames, and/or monitor enrollment scripts for unexpected commands.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection into enrollment one-liner scripts (via unsanitized hostname in Go template) directly enables arbitrary Unix shell command execution on endpoints (T1059.004) and abuse of the osquery management/deployment platform to push code to all enrolling agents (T1072).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of untrusted input (hostname) to block OS command injection into generated enrollment scripts.
Enforces access restrictions on configuration changes, limiting the ability of authenticated administrators to inject malicious hostnames into environments.
Limits privileges of administrator accounts so that only trusted personnel can create or modify environments that affect enrollment scripts.