CVE-2026-28279

Name of the Vulnerable Software and Affected Versions osctrl versions prior to 0.5.0

Description osctrl is a management solution for osquery. A command injection issue exists in the osctrl-admin environment configuration before version 0.5.0. An authenticated administrator can inject arbitrary shell commands through the hostname parameter when creating or editing environments. These commands are embedded into enrollment scripts generated using Go's text/template package, which does not perform shell escaping, and execute on every endpoint that enrolls using the compromised environment. An attacker with administrator access can achieve remote code execution on every endpoint that enrolls using the compromised environment. Commands execute as root/SYSTEM before osquery is installed, leaving no agent-level audit trail. This enables backdoor installation, credential exfiltration, and full endpoint compromise. The API endpoint used for environment configuration is within the osctrl-admin interface. The vulnerable parameter is hostname.

Recommendations Restrict osctrl administrator access to trusted personnel. Review existing environment configurations for suspicious hostnames. Monitor enrollment scripts for unexpected commands.