CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-798h-hpph-m24j: Linuxfabrik Monitoring Plugins have local privilege escalation using embedded command

highCVSS 7.8CVE-2026-55426
Summary When a check plugin places user provided input inside a command which is passed to shell_exec, an attacker can abuse this to run arbitrary commands. This is mainly dangerous for plugins which are listed in the sudoers file, because this allows an attacker controlling the nagios user to get root privileges. Details An example for this is the restic-check plugin, where the --repo argument is placed inside the command argument of shell_exec. As an example, an attacker could use the --repo argument |touch /root/nagios-was-here|. The full restic command is assembled to the string restic --json --repo=|touch /root/nagios-was-here| --password-file= check before it is passed to shell_exec. shell_exec then splits the command up in three parts at the | boundaries and executes the parts separately, which also executes the embedded command touch /root/nagios-was-here. PoC This PoC shows how the nagios user can use this to create a file inside /root. nagios@test-vm:/$ sudo /usr/lib64/nagios/plugins/restic-check --repo '|touch /root/nagios-was-here|' Impact The vulnerability is a local privilege escalation. Fix Switch from | to an array Remove the | split functionality. Instead, modify shell_exec to accept either a string or an array of strings. If an array is provided, the commands are chained together like they currently are when using |. If a string is provided, no split should be performed. You could also introduce a separate function like shell_exec_with_user_input() which implements this such that the current shell_exec function can stay like it is. This leaves the problem that an attacker can still specify arbitrary arguments inside a command. An example for this would be to use the --repo argument sftp://example.com --cache-dir /tmp, which would lead to the execution of: restic --json --repo=sftp://example.com --cache-dir /tmp --password-file=None check. Please note that this example should mainly highlight the problem in general. To prevent the problem, th

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
high — CVSS 7.8
Published
2026-07-06
Last updated
2026-07-06
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-798h-hpph-m24j

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-55426coverage & exploitation statusNVD · CVE.org

More from GitHub Security Advisories