GHSA-RCHW-322G-F7RM

Vulnerability from github – Published: 2026-02-28 02:05 – Updated: 2026-02-28 02:05
VLAI?
Summary
osctrl is Vulnerable to OS Command Injection via Environment Configuration
Details

Summary

An OS command injection vulnerability exists in the osctrl-admin environment configuration. An authenticated administrator can inject arbitrary shell commands via the hostname parameter when creating or editing environments. These commands are embedded into enrollment one-liner scripts generated using Go's text/template package (which does not perform shell escaping) and execute on every endpoint that enrolls using the compromised environment.

Impact

An attacker with administrator access can achieve remote code execution on every endpoint that enrolls using the compromised environment. Commands execute as root/SYSTEM (the privilege level used for osquery enrollment) before osquery is installed, leaving no agent-level audit trail. This enables backdoor installation, credential exfiltration, and full endpoint compromise.

Patches

Fixed in osctrl v0.5.0. Users should upgrade immediately.

Workarounds

Restrict osctrl administrator access to trusted personnel. Review existing environment configurations for suspicious hostnames. Monitor enrollment scripts for unexpected commands.

Credits

Leon Johnson and Kwangyun Keum from TikTok USDS JV Offensive Security Operations (Offensive Privacy Team)

https://github.com/Kwangyun → @Kwangyun https://github.com/sho-luv → @sho-luv

Severity ?
7.3 (High)
CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/jmpsec/osctrl"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-28279"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-78"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-28T02:05:48Z",
    "nvd_published_at": "2026-02-26T23:16:37Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nAn OS command injection vulnerability exists in the `osctrl-admin` environment configuration. An authenticated administrator can inject arbitrary shell commands via the hostname parameter when creating or editing environments. These commands are embedded into enrollment one-liner scripts generated using Go\u0027s `text/template` package (which does not perform shell escaping) and execute on every endpoint that enrolls using the compromised environment.\n\n### Impact\nAn attacker with administrator access can achieve remote code execution on every endpoint that enrolls using the compromised environment. Commands execute as root/SYSTEM (the privilege level used for osquery enrollment) before osquery is installed, leaving no agent-level audit trail. This enables backdoor installation, credential exfiltration, and full endpoint compromise.\n\n### Patches\nFixed in osctrl `v0.5.0`. Users should upgrade immediately.\n\n### Workarounds\nRestrict osctrl administrator access to trusted personnel. Review existing environment configurations for suspicious hostnames. Monitor enrollment scripts for unexpected commands.\n\n### Credits\n\nLeon Johnson and Kwangyun Keum from TikTok USDS JV Offensive Security Operations (Offensive Privacy Team)\n\nhttps://github.com/Kwangyun \u2192 @Kwangyun\nhttps://github.com/sho-luv \u2192 @sho-luv",
  "id": "GHSA-rchw-322g-f7rm",
  "modified": "2026-02-28T02:05:48Z",
  "published": "2026-02-28T02:05:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/jmpsec/osctrl/security/advisories/GHSA-rchw-322g-f7rm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28279"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jmpsec/osctrl/pull/777"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jmpsec/osctrl/pull/780"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jmpsec/osctrl"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "osctrl is Vulnerable to OS Command Injection via Environment Configuration"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.