AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-rchw-322g-f7rm: osctrl is Vulnerable to OS Command Injection via Environment Configuration

highvulnerability

security

Source: GitHub Advisory DatabaseFebruary 27, 2026CVE-2026-28279

Summary

osctrl-admin has a vulnerability where an authenticated administrator can inject arbitrary shell commands (OS command injection, where an attacker runs unauthorized commands on a system) through the hostname parameter when setting up environments. These commands get embedded into enrollment scripts and execute on every computer that enrolls using that compromised environment, running with the highest privilege level before osquery (endpoint monitoring software) is even installed.

Solution / Mitigation

Fixed in osctrl v0.5.0. Users should upgrade immediately. As workarounds, restrict osctrl administrator access to trusted personnel, review existing environment configurations for suspicious hostnames, and monitor enrollment scripts for unexpected commands.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.1%

Classification

Attack SophisticationModerate

Affected Packages

github.com/jmpsec/osctrl@< 0.5.0 (fixed: 0.5.0)

Original source: https://github.com/advisories/GHSA-rchw-322g-f7rm

First tracked: February 27, 2026 at 11:00 PM

Classified by LLM (prompt v3) · confidence: 95%