CVE-2026-27806

Name of the Vulnerable Software and Affected Versions Fleet versions prior to 4.81.1

Description The Orbit agent’s FileVault disk encryption key rotation flow collects a local user’s password via a GUI dialog and interpolates it directly into a Tcl/expect script executed via exec.Command("expect", "-c", script). Because the password is inserted into Tcl brace-quoted send {%s}, a password containing } terminates the literal and injects arbitrary Tcl commands. Since Orbit runs as root, this allows a local unprivileged user to escalate to root privileges.

Recommendations Update to Fleet version 4.81.1 or later.