Description
bleon-ethical/api-gateway-deploy provides API gateway deployment. Version 1.0.0 is vulnerable to an attack chain involving OS Command Injection and Privilege Escalation. This allows an attacker to execute arbitrary commands with root privileges within the container, potentially leading to a container escape and unauthorized infrastructure modifications. This is fixed in version 1.0.1 by implementing strict input sanitization and secure delimiters in entrypoint.sh, enforcing a non-root user (appuser) in the Dockerfile, and establishing mandatory security quality gates.
Published: 2026-02-24
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution with Root Privileges
Action: Patch Now
AI Analysis

Impact

An attacker can exploit a command injection flaw in the api-gateway-deploy entrypoint logic. The vulnerability allows execution of arbitrary OS commands with root privilege inside the container. This can lead to a container escape scenario or allow the attacker to modify interior infrastructure, compromising confidentiality, integrity and availability of the host system. The weakness corresponds to several CWEs such as command injection, privilege escalation, and insecure input handling.

Affected Systems

The affected product is bleon-ethical api-gateway-deploy version 1.0.0. The vulnerability exists in the container runtime environment that relies on a privileged entrypoint script that does not properly validate user inputs and runs as root.

Risk and Exploitability

The flaw carries a high CVSS score of 9.2, indicating a severe impact. EPSS is less than 1%, suggesting low current exploitation probability, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires the attacker to send crafted input that reaches the vulnerable script, after which the injected command runs with root rights inside the container. From there, the attacker may already have sufficient control to perform unauthorized actions on the host or other services.

Generated by OpenCVE AI on April 16, 2026 at 16:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to bleon-ethical/api-gateway-deploy 1.0.1 or later, which enforces input sanitization, uses a non‑root user, and applies security gates.
  • If an immediate upgrade is not possible, restrict container privileges by running the container under a non‑root user or enabling user namespace isolation to limit the impact of root execution inside the image.
  • As a temporary measure, review and sanitize any user‑supplied parameters that are passed to the entrypoint script, ensuring they cannot be interpreted as executable commands.

Generated by OpenCVE AI on April 16, 2026 at 16:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:bleon-ethical:api-gateway-deploy:1.0.0:*:*:*:*:*:*:*

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Bleon-ethical
Bleon-ethical api-gateway-deploy
Vendors & Products Bleon-ethical
Bleon-ethical api-gateway-deploy

Tue, 24 Feb 2026 14:30:00 +0000

Type Values Removed Values Added
Description bleon-ethical/api-gateway-deploy provides API gateway deployment. Version 1.0.0 is vulnerable to an attack chain involving OS Command Injection and Privilege Escalation. This allows an attacker to execute arbitrary commands with root privileges within the container, potentially leading to a container escape and unauthorized infrastructure modifications. This is fixed in version 1.0.1 by implementing strict input sanitization and secure delimiters in entrypoint.sh, enforcing a non-root user (appuser) in the Dockerfile, and establishing mandatory security quality gates.
Title api-gateway-deploy Affected by Exploitable Command Injection via Unprivileged Root Execution
Weaknesses CWE-250
CWE-269
CWE-78
CWE-88
References
Metrics cvssV3_1

{'score': 9.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:H'}

Subscriptions

Bleon-ethical Api-gateway-deploy
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-27T20:50:16.436Z

Reserved: 2026-02-18T19:47:02.156Z

Link: CVE-2026-27208

cve-icon Vulnrichment

Updated: 2026-02-27T20:50:13.265Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-24T15:21:37.843

Modified: 2026-02-26T20:11:29.340

Link: CVE-2026-27208

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T16:30:15Z

Weaknesses