CVE-2026-27806
Tcl Injection in Fleet Orbit Agent Enables Local Root Escalation
Publication date: 2026-04-08
Last updated on: 2026-04-14
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fleetdm | fleet | to 4.81.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-27806 is a local privilege escalation vulnerability in the Orbit agent of Fleet device management software. The vulnerability occurs because the agent collects a local user's password via a GUI dialog and directly inserts it into a Tcl/expect script executed with root privileges. If the password contains the character '}', it prematurely ends the Tcl brace-quoted string, allowing an attacker to inject arbitrary Tcl commands.
Since the Orbit agent runs as root, this command injection enables any unprivileged local user to execute arbitrary commands as root, effectively escalating their privileges to full root access.
This issue affects versions prior to 4.81.1 and was fixed in version 4.81.1.
How can this vulnerability impact me? :
This vulnerability allows a local unprivileged user to escalate their privileges to root on the affected system.
Exploitation requires only low privileges and no user interaction, making it relatively easy for an attacker with local access to fully compromise the system.
The attacker can execute arbitrary commands as root, leading to complete loss of confidentiality, integrity, and availability of the system.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade the Fleet software to version 4.81.1 or later, where the issue has been fixed.
Since the vulnerability allows local privilege escalation via the Orbit agent's FileVault disk encryption key rotation process, ensuring that the agent is updated will prevent exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows a local unprivileged user to escalate to root privileges, resulting in full compromise of confidentiality, integrity, and availability on the affected system.
Such a compromise can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and system integrity.
Specifically, the high confidentiality impact means personal or sensitive data could be exposed, violating data protection requirements.
The high integrity and availability impacts mean that data could be altered or systems disrupted, further risking compliance with regulations that mandate data accuracy and system reliability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a local privilege escalation issue in the Orbit agent prior to version 4.81.1, caused by improper handling of user passwords in a Tcl/expect script. Detection involves verifying the version of the Fleet software and the Orbit agent installed on your system.
To detect if your system is vulnerable, check the installed Fleet version and confirm if it is earlier than 4.81.1, as versions 4.81.1 and later contain the fix.
You can use commands like the following to check the Fleet version:
- fleet --version
- dpkg -l | grep fleet
- rpm -qa | grep fleet
Additionally, since the vulnerability involves the Orbit agent running as root, you can check the Orbit agent version or process details to confirm if it is the vulnerable version.
There are no specific network detection commands because this is a local privilege escalation vulnerability requiring local access.