Description
Northern.tech CFEngine Enterprise and Community before 3.21.8, 3.24.3, and 3.27.0 allows Command injection.
Published: 2026-05-14
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Northern.tech CFEngine Enterprise and Community allows an attacker to inject arbitrary shell commands. This violation of the principle of correct input handling enables the execution of unwanted code, leading to compromise of confidentiality, integrity, and availability of the affected system. The weakness is identified as a typical command injection vulnerability (CWE-77).

Affected Systems

The vulnerability is present in CFEngine Enterprise and Community versions prior to 3.21.8, 3.24.3, and 3.27.0. Only these earlier releases are affected; newer releases release the fix. The product is distributed by Northern.tech and widely used for configuration management and automation.

Risk and Exploitability

The EPSS score is 1%, indicating a lower probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, suggesting limited public exploitation data. The available description indicates that an attacker can inject arbitrary commands, but the exact attack vector is not specified in the advisory; it is inferred that a remote or local attacker with sufficient CFEngine access could exploit the flaw. Because the flaw directly executes commands, the risk is high. The CVSS score is 7.3, indicating a high severity, and the impact is severe and the potential for full compromise exists if the attacker can trigger the injection.

Generated by OpenCVE AI on May 20, 2026 at 14:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CFEngine to version 3.21.8, 3.24.3, or 3.27.0 or later, which contains the fix for the command injection issue.
  • Run CFEngine processes as a dedicated, least-privileged user to limit the damage of any successful command execution.
  • Restrict CFEngine’s runtime environment by disabling or hardening any modules or scripts that allow arbitrary command invocation, ensuring only trusted configurations are evaluated.

Generated by OpenCVE AI on May 20, 2026 at 14:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 15:00:00 +0000

Type Values Removed Values Added
Title Command Injection Vulnerability in Northern.tech CFEngine

Tue, 19 May 2026 16:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:northern.tech:cfengine:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:northern.tech:cfengine:3.26.0:*:*:*:enterprise:*:*:*

Sun, 17 May 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Northern.tech
Northern.tech cfengine
Vendors & Products Northern.tech
Northern.tech cfengine

Sat, 16 May 2026 15:30:00 +0000

Type Values Removed Values Added
Title Command Injection Vulnerability in CFEngine before 3.21.8, 3.24.3, and 3.27.0

Fri, 15 May 2026 18:45:00 +0000

Type Values Removed Values Added
Title Command Injection Vulnerability in CFEngine before 3.21.8, 3.24.3, and 3.27.0

Fri, 15 May 2026 17:15:00 +0000

Type Values Removed Values Added
Title Command Injection in CFEngine Enterprise/Community Before 3.21.8, 3.24.3, and 3.27.0
Weaknesses CWE-78

Fri, 15 May 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-77
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 May 2026 15:45:00 +0000

Type Values Removed Values Added
Title Command Injection in CFEngine Enterprise/Community Before 3.21.8, 3.24.3, and 3.27.0
Weaknesses CWE-78

Thu, 14 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description Northern.tech CFEngine Enterprise and Community before 3.21.8, 3.24.3, and 3.27.0 allows Command injection.
References

Subscriptions

Northern.tech Cfengine
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-15T13:30:12.523Z

Reserved: 2026-01-24T00:00:00.000Z

Link: CVE-2026-24712

cve-icon Vulnrichment

Updated: 2026-05-15T13:30:07.058Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-14T15:16:44.977

Modified: 2026-05-19T16:43:26.550

Link: CVE-2026-24712

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T14:45:32Z

Weaknesses
  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')