CVE-2026-27806
Fleet Affected by Local Privilege Escalation via Tcl Command Injection in Orbit
Description
## Summary The Orbit agent's FileVault disk encryption key rotation flow on collects a local user's password via a GUI dialog and interpolates it directly into a Tcl/expect script executed via `exec.Command("expect", "-c", script)`. Because the password is inserted into Tcl brace-quoted `send {%s}`, a password containing `}` terminates the literal and injects arbitrary Tcl commands. Since Orbit runs as root, this allows a local unprivileged user to escalate to root privileges. ## CWE - **CWE-78**: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - **CWE-94**: Improper Control of Generation of Code ('Code Injection') ## Impact - Local privilege escalation to root: Any unprivileged local user on a managed endpoint can execute arbitrary commands as root ## Credit This vulnerability was discovered and reported by [bugbunny.ai](https://bugbunny.ai).
How to fix CVE-2026-27806
To remediate CVE-2026-27806, upgrade the affected package to a fixed version below.
- —upgrade to 4.81.1 or later
Is CVE-2026-27806 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 4.81.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |