CVE-2026-27806
Received Received - Intake
Tcl Injection in Fleet Orbit Agent Enables Local Root Escalation

Publication date: 2026-04-08

Last updated on: 2026-04-14

Assigner: GitHub, Inc.

Description
Fleet is open source device management software. Prior to 4.81.1, the Orbit agent's FileVault disk encryption key rotation flow on collects a local user's password via a GUI dialog and interpolates it directly into a Tcl/expect script executed via exec.Command("expect", "-c", script). Because the password is inserted into Tcl brace-quoted send {%s}, a password containing } terminates the literal and injects arbitrary Tcl commands. Since Orbit runs as root, this allows a local unprivileged user to escalate to root privileges. This vulnerability is fixed in 4.81.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-14
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27806
EUVD
EUVD-2026-20540
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
fleetdm fleet to 4.81.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-27806 is a local privilege escalation vulnerability in the Orbit agent of Fleet device management software. The vulnerability occurs because the agent collects a local user's password via a GUI dialog and directly inserts it into a Tcl/expect script executed with root privileges. If the password contains the character '}', it prematurely ends the Tcl brace-quoted string, allowing an attacker to inject arbitrary Tcl commands.

Since the Orbit agent runs as root, this command injection enables any unprivileged local user to execute arbitrary commands as root, effectively escalating their privileges to full root access.

This issue affects versions prior to 4.81.1 and was fixed in version 4.81.1.

Impact Analysis

This vulnerability allows a local unprivileged user to escalate their privileges to root on the affected system.

Exploitation requires only low privileges and no user interaction, making it relatively easy for an attacker with local access to fully compromise the system.

The attacker can execute arbitrary commands as root, leading to complete loss of confidentiality, integrity, and availability of the system.

Mitigation Strategies

To mitigate this vulnerability, upgrade the Fleet software to version 4.81.1 or later, where the issue has been fixed.

Since the vulnerability allows local privilege escalation via the Orbit agent's FileVault disk encryption key rotation process, ensuring that the agent is updated will prevent exploitation.

Compliance Impact

This vulnerability allows a local unprivileged user to escalate to root privileges, resulting in full compromise of confidentiality, integrity, and availability on the affected system.

Such a compromise can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and system integrity.

Specifically, the high confidentiality impact means personal or sensitive data could be exposed, violating data protection requirements.

The high integrity and availability impacts mean that data could be altered or systems disrupted, further risking compliance with regulations that mandate data accuracy and system reliability.

Detection Guidance

This vulnerability is a local privilege escalation issue in the Orbit agent prior to version 4.81.1, caused by improper handling of user passwords in a Tcl/expect script. Detection involves verifying the version of the Fleet software and the Orbit agent installed on your system.

To detect if your system is vulnerable, check the installed Fleet version and confirm if it is earlier than 4.81.1, as versions 4.81.1 and later contain the fix.

You can use commands like the following to check the Fleet version:

  • fleet --version
  • dpkg -l | grep fleet
  • rpm -qa | grep fleet

Additionally, since the vulnerability involves the Orbit agent running as root, you can check the Orbit agent version or process details to confirm if it is the vulnerable version.

There are no specific network detection commands because this is a local privilege escalation vulnerability requiring local access.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27806. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart