CVE-2026-26009

Name of the Vulnerable Software and Affected Versions Catalyst versions prior to 11980aaf3f46315b02777f325ba02c56b110165d

Description The platform allows users with template.create or template.update permissions to define arbitrary shell commands within server templates. These commands are executed as root via bash -c on the host operating system without any sandboxing or containerization, leading to full root-level remote code execution on every node machine in the cluster. The affected API endpoint is the server template creation/update functionality. The vulnerable variable is the template content itself, which allows for arbitrary shell command injection.

Recommendations Update to version 11980aaf3f46315b02777f325ba02c56b110165d or later. Restrict permissions for template.create and template.update to prevent unauthorized users from defining arbitrary shell commands.