Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.4
osctrl Software Allows Hackers to Execute Commands on Endpoints
CVE-2026-28279
GHSA-rchw-322g-f7rm
Summary
An attacker who has administrator access to osctrl can execute any system command on all endpoints that use a compromised environment, allowing them to install malware or steal sensitive information. This is a serious issue that requires immediate attention. To protect your endpoints, upgrade to the latest version of osctrl and review your environment configurations for any suspicious changes.
What to do
- Update github.com jmpsec to version 0.5.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| github.com | jmpsec | <= 0.5.0 | 0.5.0 |
| jmpsec | osctrl | <= 0.5.0 | – |
Original title
osctrl is Vulnerable to OS Command Injection via Environment Configuration
Original description
### Summary
An OS command injection vulnerability exists in the `osctrl-admin` environment configuration. An authenticated administrator can inject arbitrary shell commands via the hostname parameter when creating or editing environments. These commands are embedded into enrollment one-liner scripts generated using Go's `text/template` package (which does not perform shell escaping) and execute on every endpoint that enrolls using the compromised environment.
### Impact
An attacker with administrator access can achieve remote code execution on every endpoint that enrolls using the compromised environment. Commands execute as root/SYSTEM (the privilege level used for osquery enrollment) before osquery is installed, leaving no agent-level audit trail. This enables backdoor installation, credential exfiltration, and full endpoint compromise.
### Patches
Fixed in osctrl `v0.5.0`. Users should upgrade immediately.
### Workarounds
Restrict osctrl administrator access to trusted personnel. Review existing environment configurations for suspicious hostnames. Monitor enrollment scripts for unexpected commands.
### Credits
Leon Johnson and Kwangyun Keum from TikTok USDS JV Offensive Security Operations (Offensive Privacy Team)
https://github.com/Kwangyun → @Kwangyun
https://github.com/sho-luv → @sho-luv
An OS command injection vulnerability exists in the `osctrl-admin` environment configuration. An authenticated administrator can inject arbitrary shell commands via the hostname parameter when creating or editing environments. These commands are embedded into enrollment one-liner scripts generated using Go's `text/template` package (which does not perform shell escaping) and execute on every endpoint that enrolls using the compromised environment.
### Impact
An attacker with administrator access can achieve remote code execution on every endpoint that enrolls using the compromised environment. Commands execute as root/SYSTEM (the privilege level used for osquery enrollment) before osquery is installed, leaving no agent-level audit trail. This enables backdoor installation, credential exfiltration, and full endpoint compromise.
### Patches
Fixed in osctrl `v0.5.0`. Users should upgrade immediately.
### Workarounds
Restrict osctrl administrator access to trusted personnel. Review existing environment configurations for suspicious hostnames. Monitor enrollment scripts for unexpected commands.
### Credits
Leon Johnson and Kwangyun Keum from TikTok USDS JV Offensive Security Operations (Offensive Privacy Team)
https://github.com/Kwangyun → @Kwangyun
https://github.com/sho-luv → @sho-luv
nvd CVSS3.1
8.4
Vulnerability type
CWE-78
OS Command Injection
- https://github.com/jmpsec/osctrl/pull/777 Issue Tracking Patch
- https://github.com/jmpsec/osctrl/pull/780 Issue Tracking Patch
- https://github.com/jmpsec/osctrl/security/advisories/GHSA-rchw-322g-f7rm Vendor Advisory Mitigation
- https://nvd.nist.gov/vuln/detail/CVE-2026-28279
- https://github.com/advisories/GHSA-rchw-322g-f7rm
Published: 28 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026