CVE-2026-27806: CVE-2026-27806: Local Privilege Escalation via Tcl Script Injection in Fleet DM Orbit Agent

CVE-2026-27806: Local Privilege Escalation via Tcl Script Injection in Fleet DM Orbit Agent

Vulnerability ID: CVE-2026-27806
CVSS Score: 7.8
Published: 2026-04-08

CVE-2026-27806 is a local privilege escalation vulnerability in the Fleet DM Orbit agent for macOS. Improper neutralization of user input during the automated FileVault key rotation process allows local unprivileged users to execute arbitrary commands as root via Tcl script injection.

TL;DR

Unescaped user input in macOS FileVault Tcl/expect scripts allows local privilege escalation to root in Fleet DM Orbit agents prior to version 4.81.1.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-78
• Attack Vector: Local
• CVSS v3.1: 7.8 (High)
• Impact: Privilege Escalation to root
• Exploit Status: Proof of Concept (PoC)
• KEV Status: Not Listed

Affected Systems

• Fleet DM Orbit Agent (macOS)
• Orbit Agent: < 4.81.1 (Fixed in: 4.81.1)

Mitigation Strategies

• Deploy Fleet DM Orbit agent version 4.81.1 to all macOS endpoints.
• Temporarily suspend FileVault recovery key rotation policies if patching is delayed.
• Implement endpoint monitoring for abnormal child processes spawned by expect.
• Audit endpoints using OSquery to verify agent version compliance.

Remediation Steps:

1. Identify all macOS endpoints running Fleet DM Orbit agent versions prior to 4.81.1.
2. Push the 4.81.1 agent update via the Fleet DM management console or MDM solution.
3. Verify the update application by querying the agent version across the fleet.
4. Analyze endpoint telemetry for historical indicators of compromise associated with expect processes.

References

• GitHub Security Advisory
• CVE Org Record
• Fleet DM Releases
• Fleet DM Changelog

---

Read the full report for CVE-2026-27806 on our website for more details including interactive diagrams and full exploit analysis.