Description
osctrl is an osquery management solution. Prior to version 0.5.0, an OS command injection vulnerability exists in the `osctrl-admin` environment configuration. An authenticated administrator can inject arbitrary shell commands via the hostname parameter when creating or editing environments. These commands are embedded into enrollment one-liner scripts generated using Go's `text/template` package (which does not perform shell escaping) and execute on every endpoint that enrolls using the compromised environment. An attacker with administrator access can achieve remote code execution on every endpoint that enrolls using the compromised environment. Commands execute as root/SYSTEM (the privilege level used for osquery enrollment) before osquery is installed, leaving no agent-level audit trail. This enables backdoor installation, credential exfiltration, and full endpoint compromise. This is fixed in osctrl `v0.5.0`. As a workaround, restrict osctrl administrator access to trusted personnel, review existing environment configurations for suspicious hostnames, and/or monitor enrollment scripts for unexpected commands.
Published: 2026-02-26
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A vulnerable version of osctrl allows an authenticated administrator to embed arbitrary shell commands into the hostname field of an environment configuration. These commands become part of the enrollment one‑liner script generated with Go's text/template package, which does not escape shell input, and are executed as root or SYSTEM when an endpoint enrolls. The attacker can install backdoors, exfiltrate credentials, and gain full control of any endpoint that uses the compromised environment. The weakness is an OS Command Injection flaw (CWE‑78).

Affected Systems

The affected product is jmpsec’s osctrl, with all releases prior to version 0.5.0 vulnerable. Users running earlier revisions should verify the version and consider upgrading.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.4, indicating high severity. The EPSS score is below 1%, meaning active exploits are rarely observed, and the vulnerability is not listed in the CISA KEV catalog. The required attacker state is authenticated administrator access to osctrl. Exploitation would proceed by creating or editing an environment with a malicious hostname value, embedding commands that execute immediately on endpoint enrollment. The consequence is remote code execution on every machine that enrolls with the affected environment, executing with elevated privileges and leaving no agent‑level audit trail.

Generated by OpenCVE AI on April 17, 2026 at 14:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade osctrl to version 0.5.0 or later
  • Restrict osctrl administrator access to trusted personnel
  • Review existing environment configurations for suspicious hostname values
  • Monitor enrollment scripts for unexpected commands

Generated by OpenCVE AI on April 17, 2026 at 14:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rchw-322g-f7rm osctrl is Vulnerable to OS Command Injection via Environment Configuration
History

Sat, 28 Feb 2026 01:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:jmpsec:osctrl:*:*:*:*:*:*:*:*

Fri, 27 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Jmpsec
Jmpsec osctrl
Vendors & Products Jmpsec
Jmpsec osctrl

Thu, 26 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
Description osctrl is an osquery management solution. Prior to version 0.5.0, an OS command injection vulnerability exists in the `osctrl-admin` environment configuration. An authenticated administrator can inject arbitrary shell commands via the hostname parameter when creating or editing environments. These commands are embedded into enrollment one-liner scripts generated using Go's `text/template` package (which does not perform shell escaping) and execute on every endpoint that enrolls using the compromised environment. An attacker with administrator access can achieve remote code execution on every endpoint that enrolls using the compromised environment. Commands execute as root/SYSTEM (the privilege level used for osquery enrollment) before osquery is installed, leaving no agent-level audit trail. This enables backdoor installation, credential exfiltration, and full endpoint compromise. This is fixed in osctrl `v0.5.0`. As a workaround, restrict osctrl administrator access to trusted personnel, review existing environment configurations for suspicious hostnames, and/or monitor enrollment scripts for unexpected commands.
Title `osctrl-admin` Vulnerable to OS Command Injection via Environment Configuration
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Jmpsec Osctrl
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-27T17:33:49.803Z

Reserved: 2026-02-26T01:52:58.734Z

Link: CVE-2026-28279

cve-icon Vulnrichment

Updated: 2026-02-27T17:33:42.499Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T23:16:37.567

Modified: 2026-02-28T01:17:13.797

Link: CVE-2026-28279

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:15:21Z

Weaknesses