AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-rphv-h674-5hp2: Fleet Affected by Local Privilege Escalation via Tcl Command Injection in Orbit

highvulnerability

security

Source: GitHub Advisory DatabaseApril 8, 2026CVE-2026-27806

Summary

The Orbit agent (software that manages computer endpoints) has a vulnerability in how it handles disk encryption key rotation. When a user enters their password through a dialog box, the software directly inserts it into a Tcl script (a programming language for automation) without properly cleaning it first. An attacker can craft a password containing special characters like `}` to break out of the script and inject their own commands, which then run with root privileges (the highest level of system access), allowing any unprivileged local user to take complete control of the computer.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.0%

Patch Available

Yes

Disclosure Date

April 8, 2026

Classification

Attack SophisticationModerate

Affected Packages

github.com/fleetdm/fleet/v4@< 4.81.1 (fixed: 4.81.1)

Monthly digest — independent AI security research

Original source: https://github.com/advisories/GHSA-rphv-h674-5hp2

First tracked: April 8, 2026 at 08:00 PM

Classified by LLM (prompt v3) · confidence: 95%