CVE-2026-27806
published 2026-04-08CVE-2026-27806: Fleet is open source device management software. Prior to 4.81.1, the Orbit agent's FileVault disk encryption key rotation flow on collects a local user's…
PriorityP345high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EPSS
0.11%
1.6th percentile
Fleet is open source device management software. Prior to 4.81.1, the Orbit agent's FileVault disk encryption key rotation flow on collects a local user's password via a GUI dialog and interpolates it directly into a Tcl/expect script executed via exec.Command("expect", "-c", script). Because the password is inserted into Tcl brace-quoted send {%s}, a password containing } terminates the literal and injects arbitrary Tcl commands. Since Orbit runs as root, this allows a local unprivileged user to escalate to root privileges. This vulnerability is fixed in 4.81.1.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fleetdm | fleet | < 4.81.1 | 4.81.1 |
| github.com | fleetdm_fleet_v4 | >= 0 < 4.81.1 | 4.81.1 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Fleet Affected by Local Privilege Escalation via Tcl Command Injection in Orbit
ghsa·2026-04-08
CVE-2026-27806 [HIGH] CWE-78 Fleet Affected by Local Privilege Escalation via Tcl Command Injection in Orbit
Fleet Affected by Local Privilege Escalation via Tcl Command Injection in Orbit
## Summary
The Orbit agent's FileVault disk encryption key rotation flow on collects a local user's password via a GUI dialog and interpolates it directly into a Tcl/expect script executed via `exec.Command("expect", "-c", script)`. Because the password is inserted into Tcl brace-quoted `send {%s}`, a password containing `}` terminates the literal and injects arbitrary Tcl commands. Since Orbit runs as root, this allows a local unprivileged user to escalate to root privileges.
## CWE
- **CWE-78**: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
- **CWE-94**: Improper Control of Generation of Code ('Code Injection')
## Impact
- Local privilege escalation to root:
OSV
Fleet Affected by Local Privilege Escalation via Tcl Command Injection in Orbit
osv·2026-04-08
CVE-2026-27806 [HIGH] Fleet Affected by Local Privilege Escalation via Tcl Command Injection in Orbit
Fleet Affected by Local Privilege Escalation via Tcl Command Injection in Orbit
## Summary
The Orbit agent's FileVault disk encryption key rotation flow on collects a local user's password via a GUI dialog and interpolates it directly into a Tcl/expect script executed via `exec.Command("expect", "-c", script)`. Because the password is inserted into Tcl brace-quoted `send {%s}`, a password containing `}` terminates the literal and injects arbitrary Tcl commands. Since Orbit runs as root, this allows a local unprivileged user to escalate to root privileges.
## CWE
- **CWE-78**: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
- **CWE-94**: Improper Control of Generation of Code ('Code Injection')
## Impact
- Local privilege escalation to root:
No detection rules found.
No public exploits indexed.
2026-04-08
Published