CVE-2026-28279
OS Command Injection in osctrl Admin Enables Root Remote Code Execution
Publication date: 2026-02-26
Last updated on: 2026-02-28
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jmpsec | osctrl | to 0.5.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in osctrl, an osquery management solution, prior to version 0.5.0. It is an OS command injection flaw in the osctrl-admin environment configuration. An authenticated administrator can inject arbitrary shell commands through the hostname parameter when creating or editing environments.
These injected commands are embedded into enrollment one-liner scripts generated using Go's text/template package, which does not perform shell escaping. As a result, the commands execute on every endpoint that enrolls using the compromised environment.
The commands run with root or SYSTEM privileges before osquery is installed, leaving no agent-level audit trail. This allows an attacker with administrator access to achieve remote code execution on all enrolled endpoints.
How can this vulnerability impact me? :
This vulnerability can lead to full endpoint compromise because injected commands execute with root or SYSTEM privileges on every enrolled endpoint.
An attacker can install backdoors, exfiltrate credentials, and perform remote code execution without leaving an agent-level audit trail.
This means that any system enrolled using the compromised environment is at risk of being fully controlled by an attacker with administrator access to osctrl.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by reviewing existing environment configurations for suspicious or unexpected hostnames that may contain injected shell commands.
Additionally, monitoring enrollment one-liner scripts generated by osctrl for unexpected or arbitrary commands can help identify exploitation attempts.
Since the commands execute as root/SYSTEM before osquery installation and leave no agent-level audit trail, detection via traditional endpoint logs may be limited.
No specific commands are provided in the available information to detect this vulnerability on your network or system.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, restrict osctrl administrator access to trusted personnel only.
Review all existing environment configurations for suspicious hostnames that may contain injected commands.
Monitor enrollment scripts for unexpected or arbitrary commands that could indicate exploitation.
Upgrade osctrl to version 0.5.0 or later, where this vulnerability is fixed.