HIGHCVE-2026-27806CVSS 7.8

CVE-2026-27806: Fleet Command Injection - Root Privilege Escalation

Q: What is CVE-2026-27806?

CVE-2026-27806 is a Command Injection vulnerability in Fleet's Orbit agent. It allows a local user to inject commands into a script executed with root privileges during FileVault key rotation, potentially leading to privilege escalation.

Q: Am I affected by this vulnerability?

You are affected if you are using Fleet version 4.81.0 or earlier. Versions prior to 4.81.1 are vulnerable to this Command Injection flaw.

Q: How do I fix this?

Upgrade Fleet to version 4.81.1 to resolve this vulnerability. This version includes a fix that prevents the command injection.

Platform

linux

Component

fleetdm/fleet

Fixed in

4.81.2

AI Confidence: highNVDEPSS 0.0%Reviewed: Apr 2026

View on NVD

Save

Fleet is open-source device management software, and a vulnerability has been identified affecting versions 4.81.0 through 4.81.0. This Command Injection flaw within the Orbit agent's FileVault disk encryption key rotation process allows a local, unprivileged user to potentially escalate to root privileges by injecting arbitrary Tcl commands. The vulnerability is resolved in version 4.81.1, and users are advised to upgrade promptly.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureLow

Reports1 threat report

EPSS

0.01% (2% percentile)

CISA SSVC

Exploitationnone

Automatableno

Affected Software

Componentfleetdm/fleet

Vendorfleetdm

Affected rangeFixed in

< 4.81.1 – < 4.81.14.81.2

Weakness Classification (CWE)

CWE-78

Timeline

Reserved2026-02-24
Published2026-04-08
Modified2026-04-09
EPSS updated2026-04-16

How to fix

Update to version 4.81.1 or later to mitigate the vulnerability. This update fixes the Tcl command injection by properly validating user input before executing scripts.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-27806?