osctrl-admin Enrollment Script Command Injection
Vulnerability ID: CVE-2026-28279
CVSS Score: 7.3
Published: 2026-02-28
A critical command injection vulnerability exists in the osctrl-admin component of the osctrl osquery management platform. The vulnerability allows authenticated administrators to inject arbitrary shell commands into generated enrollment scripts via the environment hostname parameter. When these scripts are executed on endpoints to install the osquery agent, the injected commands run with high privileges (typically root or SYSTEM), allowing for potential fleet-wide compromise.
TL;DR
Authenticated RCE in osctrl < v0.5.0 allows attackers to compromise endpoints during enrollment by injecting commands into the hostname field.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-78
- CVSS v3.1: 7.3 (High)
- Attack Vector: Adjacent Network
- Exploit Status: PoC Available
- EPSS Score: 0.00112
- Patch Version: 0.5.0
Affected Systems
- osctrl-admin < v0.5.0
-
osctrl: < 0.5.0 (Fixed in:
0.5.0)
Code Analysis
Commit: 742c38d
Implement strict regex filtering for environment hostnames
func HostnameFilter(s string) bool {
- return true
+ re := regexp.MustCompile(`^[a-zA-Z0-9.\-]+$`)
+ return re.MatchString(s)
}
Exploit Details
- Manual: Manual PoC involving environment configuration modification
Mitigation Strategies
- Input Sanitization
- Principle of Least Privilege
- Code Review
Remediation Steps:
- Upgrade osctrl to version 0.5.0 or later immediately.
- Review all existing environment configurations in the
osctrl-admindashboard for suspicioushostnameentries. - Regenerate and inspect any enrollment scripts that have been downloaded but not yet executed.
- If an upgrade is not immediately possible, implement a Web Application Firewall (WAF) rule to block POST requests to environment endpoints containing shell metacharacters (e.g.,
;,|,$,`).
References
Read the full report for CVE-2026-28279 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)