CVE-2026-28279
Received Received - Intake
OS Command Injection in osctrl Admin Enables Root Remote Code Execution

Publication date: 2026-02-26

Last updated on: 2026-02-28

Assigner: GitHub, Inc.

Description
osctrl is an osquery management solution. Prior to version 0.5.0, an OS command injection vulnerability exists in the `osctrl-admin` environment configuration. An authenticated administrator can inject arbitrary shell commands via the hostname parameter when creating or editing environments. These commands are embedded into enrollment one-liner scripts generated using Go's `text/template` package (which does not perform shell escaping) and execute on every endpoint that enrolls using the compromised environment. An attacker with administrator access can achieve remote code execution on every endpoint that enrolls using the compromised environment. Commands execute as root/SYSTEM (the privilege level used for osquery enrollment) before osquery is installed, leaving no agent-level audit trail. This enables backdoor installation, credential exfiltration, and full endpoint compromise. This is fixed in osctrl `v0.5.0`. As a workaround, restrict osctrl administrator access to trusted personnel, review existing environment configurations for suspicious hostnames, and/or monitor enrollment scripts for unexpected commands.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-26
Last Modified
2026-02-28
Generated
2026-06-16
AI Q&A
2026-02-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-28279
EUVD
EUVD-2026-8922
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jmpsec osctrl to 0.5.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in osctrl, an osquery management solution, prior to version 0.5.0. It is an OS command injection flaw in the osctrl-admin environment configuration. An authenticated administrator can inject arbitrary shell commands through the hostname parameter when creating or editing environments.

These injected commands are embedded into enrollment one-liner scripts generated using Go's text/template package, which does not perform shell escaping. As a result, the commands execute on every endpoint that enrolls using the compromised environment.

The commands run with root or SYSTEM privileges before osquery is installed, leaving no agent-level audit trail. This allows an attacker with administrator access to achieve remote code execution on all enrolled endpoints.

Impact Analysis

This vulnerability can lead to full endpoint compromise because injected commands execute with root or SYSTEM privileges on every enrolled endpoint.

An attacker can install backdoors, exfiltrate credentials, and perform remote code execution without leaving an agent-level audit trail.

This means that any system enrolled using the compromised environment is at risk of being fully controlled by an attacker with administrator access to osctrl.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by reviewing existing environment configurations for suspicious or unexpected hostnames that may contain injected shell commands.

Additionally, monitoring enrollment one-liner scripts generated by osctrl for unexpected or arbitrary commands can help identify exploitation attempts.

Since the commands execute as root/SYSTEM before osquery installation and leave no agent-level audit trail, detection via traditional endpoint logs may be limited.

No specific commands are provided in the available information to detect this vulnerability on your network or system.

Mitigation Strategies

To mitigate this vulnerability immediately, restrict osctrl administrator access to trusted personnel only.

Review all existing environment configurations for suspicious hostnames that may contain injected commands.

Monitor enrollment scripts for unexpected or arbitrary commands that could indicate exploitation.

Upgrade osctrl to version 0.5.0 or later, where this vulnerability is fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28279. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart