`osctrl-admin` Vulnerable to OS Command Injection via Environment Configuration
Description
osctrl is an osquery management solution. Prior to version 0.5.0, an OS command injection vulnerability exists in the osctrl-admin environment configuration. An authenticated administrator can inject arbitrary shell commands via the hostname parameter when creating or editing environments. These commands are embedded into enrollment one-liner scripts generated using Go's text/template package (which does not perform shell escaping) and execute on every endpoint that enrolls using the compromised environment. An attacker with administrator access can achieve remote code execution on every endpoint that enrolls using the compromised environment. Commands execute as root/SYSTEM (the privilege level used for osquery enrollment) before osquery is installed, leaving no agent-level audit trail. This enables backdoor installation, credential exfiltration, and full endpoint compromise. This is fixed in osctrl v0.5.0. As a workaround, restrict osctrl administrator access to trusted personnel, review existing environment configurations for suspicious hostnames, and/or monitor enrollment scripts for unexpected commands.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OS command injection in osctrl-admin allows authenticated admins to execute arbitrary commands on all enrolling endpoints via unsanitized hostname field.
Root Cause: The vulnerability stems from the lack of input validation on the hostname parameter when creating or editing environments in osctrl-admin. The hostname is directly incorporated into enrollment one-liner scripts using Go's text/template package, which does not perform shell escaping. This allows an authenticated administrator to inject arbitrary OS commands by crafting a malicious hostname [1][2].
Exploitation: An attacker with administrative access to osctrl can create or modify an environment with a specially crafted hostname. When endpoints enroll using the compromised environment, the injected commands are embedded into the enrollment script and execute on each endpoint. The commands run before osquery is installed, at the root/SYSTEM privilege level, and thus leave no agent-level audit trail [2]. This makes detection difficult.
Impact: Successful exploitation results in remote code execution on every endpoint that enrolls from the affected environment. An attacker can install backdoors, exfiltrate credentials, and achieve full compromise of the enrolling systems [2]. The wide reach of this vulnerability makes it particularly severe.
Mitigation: The issue is fixed in osctrl version 0.5.0. Pull requests #777 and #780 introduced input validation filters for environment fields, including hostname [1][4]. As a workaround, administrators should restrict access to trusted personnel, review existing environment configurations for suspicious hostnames, and monitor enrollment scripts for unexpected commands [2].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/jmpsec/osctrlGo | < 0.5.0 | 0.5.0 |
Affected products
2- Range: <0.5.0
- jmpsec/osctrlv5Range: < 0.5.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-rchw-322g-f7rmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-28279ghsaADVISORY
- github.com/jmpsec/osctrl/pull/777ghsax_refsource_MISCWEB
- github.com/jmpsec/osctrl/pull/780ghsax_refsource_MISCWEB
- github.com/jmpsec/osctrl/security/advisories/GHSA-rchw-322g-f7rmghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.