CVE-2026-27208
OS Command Injection and Privilege Escalation in bleon-ethical/api-gateway-deploy
Publication date: 2026-02-24
Last updated on: 2026-02-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bleon-ethical | api-gateway-deploy | 1.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-88 | The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
| CWE-250 | The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-27208 is a critical vulnerability in the api-gateway-deploy Docker container version 1.0.0 that involves a combination of OS Command Injection and Privilege Escalation.
The vulnerability exists in the entrypoint.sh script where the sed command uses an environment variable ($INPUT_CORS_DOMAIN) without proper sanitization or secure delimiters. This allows an attacker to inject malicious commands that break out of the intended command context.
Because the container runs as root by default (due to lack of a USER directive in the Dockerfile), the injected commands execute with root privileges inside the container.
This can lead to arbitrary command execution, privilege escalation, and potentially escaping the container to make unauthorized modifications to the underlying infrastructure.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation steps are to upgrade the api-gateway-deploy container to version 1.0.1, which includes fixes for this vulnerability.
Version 1.0.1 implements strict input sanitization and secure delimiters in the `entrypoint.sh` script to prevent command injection.
It also enforces running the container as a non-root user (`appuser`) by adding a `USER` directive in the Dockerfile, reducing privilege escalation risks.
Additionally, mandatory security quality gates using tools like Semgrep, Checkov, Trivy, and Gitleaks have been introduced to prevent similar issues.
Until the upgrade is applied, avoid running the vulnerable container in production and restrict access to the environment variables that could be exploited.
How can this vulnerability impact me? :
This vulnerability allows an attacker to execute arbitrary commands with root privileges inside the container.
The attacker can escalate privileges and potentially escape the container, leading to unauthorized modifications of the infrastructure hosting the container.
Such unauthorized access can compromise confidentiality, availability, and integrity of the system, as indicated by the CVSS score metrics.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by inspecting the `entrypoint.sh` script in the api-gateway-deploy Docker container version 1.0.0 for unsafe usage of the `sed` command with unsanitized environment variables, specifically the `$INPUT_CORS_DOMAIN` variable.'}, {'type': 'paragraph', 'content': 'A practical detection method is to check if the container is running version 1.0.0 and if the Dockerfile lacks a `USER` directive, which causes the container to run as root.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect the vulnerability include:'}, {'type': 'list_item', 'content': 'Inspect the `entrypoint.sh` script for unsafe `sed` usage: `grep -n "sed -i" entrypoint.sh` and check if `$INPUT_CORS_DOMAIN` is used without sanitization.'}, {'type': 'list_item', 'content': 'Check the Dockerfile for the presence or absence of a `USER` directive: `grep -i USER Dockerfile`.'}, {'type': 'list_item', 'content': "Verify the running container version: `docker inspect --format='{{.Config.Image}}' <container_id>` and compare with version 1.0.0."}, {'type': 'list_item', 'content': 'Scan for suspicious environment variable values that might contain injection payloads, e.g., `docker exec <container_id> env | grep INPUT_CORS_DOMAIN`.'}] [1]