CVE-2026-28279: osctrl-admin Enrollment Script Command Injection

Source: Dev.to

Vulnerability Details

• Vulnerability ID: CVE-2026-28279
• CVSS Score: 7.3 (High)
• Published: 2026-02-28
• CWE ID: CWE-78 (Improper Neutralization of Special Elements used in an OS Command)
• Attack Vector: Adjacent Network
• Exploit Status: Proof‑of‑Concept (PoC) Available
• EPSS Score: 0.00112

A critical command injection vulnerability exists in the osctrl‑admin component of the osctrl osquery management platform. Authenticated administrators can inject arbitrary shell commands into generated enrollment scripts via the environment hostname parameter. When these scripts are executed on endpoints to install the osquery agent, the injected commands run with high privileges (typically root or SYSTEM), enabling potential fleet‑wide compromise.

• Affected versions: osctrl‑admin < 0.5.0, osctrl < 0.5.0
• Fixed in: 0.5.0

Technical Details

The vulnerability stems from insufficient validation of the hostname field used when generating enrollment scripts. An attacker can supply a value such as:

myhost; rm -rf / # 

which is then embedded directly into the script, leading to command execution on the target system.

Example Fix – Strict Regex Filtering

// HostnameFilter validates environment hostnames.
// Only alphanumeric characters, dots, and hyphens are allowed.
func HostnameFilter(s string) bool {
    re := regexp.MustCompile(`^[a-zA-Z0-9.\-]+$`)
    return re.MatchString(s)
}

Remediation Steps

1. Upgrade osctrl to version 0.5.0 or later immediately.
2. Review all existing environment configurations in the osctrl‑admin dashboard for suspicious hostname entries.
3. Regenerate and inspect any enrollment scripts that have been downloaded but not yet executed.
4. If an upgrade cannot be applied right away, consider implementing a Web Application Firewall (WAF) rule to block POST requests to environment endpoints containing shell metacharacters (e.g., ;, |, $, `).
5. Apply general hardening measures:
   • Input sanitization for all user‑supplied fields.
   • Principle of least privilege for the osquery agent.
   • Regular code reviews focusing on command construction.

References

• GHSA‑rchw‑322g‑f7rm – Security advisory.
• NVD Entry for CVE‑2026‑28279.
• Full report for CVE‑2026‑28279 (available on the vendor’s website).