{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27806", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-24T02:31:33.267Z", "datePublished": "2026-04-08T17:40:24.119Z", "dateUpdated": "2026-04-09T14:24:14.670Z"}, "containers": {"cna": {"title": "Fleet Affected by Local Privilege Escalation via Tcl Command Injection in Orbit", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/fleetdm/fleet/security/advisories/GHSA-rphv-h674-5hp2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/fleetdm/fleet/security/advisories/GHSA-rphv-h674-5hp2"}], "affected": [{"vendor": "fleetdm", "product": "fleet", "versions": [{"version": "< 4.81.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T17:40:24.119Z"}, "descriptions": [{"lang": "en", "value": "Fleet is open source device management software. Prior to 4.81.1, the Orbit agent's FileVault disk encryption key rotation flow on collects a local user's password via a GUI dialog and interpolates it directly into a Tcl/expect script executed via exec.Command(\"expect\", \"-c\", script). Because the password is inserted into Tcl brace-quoted send {%s}, a password containing } terminates the literal and injects arbitrary Tcl commands. Since Orbit runs as root, this allows a local unprivileged user to escalate to root privileges. This vulnerability is fixed in 4.81.1."}], "source": {"advisory": "GHSA-rphv-h674-5hp2", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T14:24:06.342149Z", "id": "CVE-2026-27806", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T14:24:14.670Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27806", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-09T14:24:06.342149Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T14:24:10.875Z"}}], "cna": {"title": "Fleet Affected by Local Privilege Escalation via Tcl Command Injection in Orbit", "source": {"advisory": "GHSA-rphv-h674-5hp2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "fleetdm", "product": "fleet", "versions": [{"status": "affected", "version": "< 4.81.1"}]}], "references": [{"url": "https://github.com/fleetdm/fleet/security/advisories/GHSA-rphv-h674-5hp2", "name": "https://github.com/fleetdm/fleet/security/advisories/GHSA-rphv-h674-5hp2", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Fleet is open source device management software. Prior to 4.81.1, the Orbit agent's FileVault disk encryption key rotation flow on collects a local user's password via a GUI dialog and interpolates it directly into a Tcl/expect script executed via exec.Command(\"expect\", \"-c\", script). Because the password is inserted into Tcl brace-quoted send {%s}, a password containing } terminates the literal and injects arbitrary Tcl commands. Since Orbit runs as root, this allows a local unprivileged user to escalate to root privileges. This vulnerability is fixed in 4.81.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T17:40:24.119Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27806", "state": "PUBLISHED", "dateUpdated": "2026-04-09T14:24:14.670Z", "dateReserved": "2026-02-24T02:31:33.267Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-08T17:40:24.119Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fleetdm:fleet:*:*:*:*:*:*:*:*", "matchCriteriaId": "09CFBED5-C6C2-4CCB-A48C-7E89E878E4F7", "versionEndExcluding": "4.81.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Fleet is open source device management software. Prior to 4.81.1, the Orbit agent's FileVault disk encryption key rotation flow on collects a local user's password via a GUI dialog and interpolates it directly into a Tcl/expect script executed via exec.Command(\"expect\", \"-c\", script). Because the password is inserted into Tcl brace-quoted send {%s}, a password containing } terminates the literal and injects arbitrary Tcl commands. Since Orbit runs as root, this allows a local unprivileged user to escalate to root privileges. This vulnerability is fixed in 4.81.1."}], "id": "CVE-2026-27806", "lastModified": "2026-04-14T19:31:32.380", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-08T19:25:13.543", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/fleetdm/fleet/security/advisories/GHSA-rphv-h674-5hp2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.81.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "fleet", "source": "cna", "vendor": "fleetdm"}, "product": "fleet", "vendor": "fleetdm"}], "analysis": {"en": {"generated_at": "2026-04-14T21:29:00.524650+00:00", "value": {"mitigation_remediation": ["Upgrade all Fleet installations to version 4.81.1 or later to apply the fix for the Tcl command injection flaw."], "summary": {"action": "Immediate Patch", "impact": "Local Privilege Escalation"}, "threat_synthesis": {"affected_systems": "All instances of the Fleet device management software using the Orbit agent before version 4.81.1 are affected. The flaw manifests during the FileVault disk encryption key rotation flow, which typically occurs on macOS systems where the agent prompts a user for a password and then executes it within a Tcl script. Any device running an earlier Fleet release that includes this flow is vulnerable.", "description_and_impact": "The Fleet Orbit agent executes a Tcl/expect script that embeds a password entered by a local user. A password containing the closing brace character terminates the literal Tcl send command and injects arbitrary Tcl commands. Because the agent runs as root, this injection grants the attacker full root privileges, enabling system compromise, data exfiltration, or modification of critical files. The vulnerability directly jeopardizes confidentiality, integrity, and availability of affected devices.", "risk_and_exploitability": "The CVSS score of 7.8 indicates a high severity, while the EPSS score below 1% suggests a low likelihood of exploitation under normal conditions. The likely attack vector is local, requiring the attacker to be an authenticated user who can trigger the password prompt; no remote trigger is described in the data. If exploited, the attacker would obtain unrestricted root access, representing a high-impact outcome. The vulnerability is not listed in CISA\u2019s KEV catalog, so no publicly documented exploitation is known, but its presence in root execution makes it a serious threat for local users."}}}}, "created": "2026-04-08T19:33:16.723960+00:00", "updated": "2026-04-15T16:15:11.935633+00:00", "vendors": ["fleetdm", "fleetdm$PRODUCT$fleet"]}