GHSA-798H-HPPH-M24J
Vulnerability from github – Published: 2026-07-06 21:13 – Updated: 2026-07-06 21:13Summary
When a check plugin places user provided input inside a command which is passed to shell_exec, an attacker can abuse this to run arbitrary commands. This is mainly dangerous for plugins which are listed in the sudoers file, because this allows an attacker controlling the nagios user to get root privileges.
Details
An example for this is the restic-check plugin, where the --repo argument is placed inside the command argument of shell_exec. As an example, an attacker could use the --repo argument |touch /root/nagios-was-here|. The full restic command is assembled to the string restic --json --repo=|touch /root/nagios-was-here| --password-file= check before it is passed to shell_exec. shell_exec then splits the command up in three parts at the | boundaries and executes the parts separately, which also executes the embedded command touch /root/nagios-was-here.
PoC
This PoC shows how the nagios user can use this to create a file inside /root.
nagios@test-vm:/$ sudo /usr/lib64/nagios/plugins/restic-check --repo '|touch /root/nagios-was-here|'
Impact
The vulnerability is a local privilege escalation.
Fix
Switch from | to an array
Remove the | split functionality. Instead, modify shell_exec to accept either a string or an array of strings. If an array is provided, the commands are chained together like they currently are when using |. If a string is provided, no split should be performed. You could also introduce a separate function like shell_exec_with_user_input() which implements this such that the current shell_exec function can stay like it is.
This leaves the problem that an attacker can still specify arbitrary arguments inside a command. An example for this would be to use the --repo argument sftp://example.com --cache-dir /tmp, which would lead to the execution of: restic --json --repo=sftp://example.com --cache-dir /tmp --password-file=None check. Please note that this example should mainly highlight the problem in general. To prevent the problem, there is either escaping or again array-syntax. Escaping would use shlex.quote to place the user provided argument inside quotes and which also escapes everything which needs to be escaped. Using array syntax would mean providing the full command as an array like ['restic', '--json', '--repo', 'sftp://example.com']. The array can then be given as-is to Popen. With this method, the proposed shell_exec_with_user_input would accept an array of array of strings.
Patches
The fix follows the array-syntax approach proposed above:
linuxfabrik-lib5.0.0:lib.shell.shell_exec()requires the command as a list of arguments (argv) and always runs withshell=False. The|split functionality, command strings and theshell=parameter have been removed, so user-provided input can no longer break out of a command.lib.shell.safe_cli_value()additionally guards positional arguments (such as an ssh destination or a ping target) against option injection, andlib.sshbuilds argument lists as well.- Linuxfabrik Monitoring Plugins: all plugins assemble their external commands as argv lists (commit 23bb570f4). Contained in every release after v5.2.0.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "linuxfabrik-lib"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-55426"
],
"database_specific": {
"cwe_ids": [
"CWE-78"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-06T21:13:38Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\nWhen a check plugin places user provided input inside a command which is passed to `shell_exec`, an attacker can abuse this to run arbitrary commands. This is mainly dangerous for plugins which are listed in the sudoers file, because this allows an attacker controlling the nagios user to get root privileges.\n\n### Details\nAn example for this is the `restic-check` plugin, where the `--repo` argument is placed inside the command argument of `shell_exec`. As an example, an attacker could use the `--repo` argument `|touch /root/nagios-was-here|`. The full restic command is assembled to the string `restic --json --repo=|touch /root/nagios-was-here| --password-file= check` before it is passed to `shell_exec`. `shell_exec` then splits the command up in three parts at the | boundaries and executes the parts separately, which also executes the embedded command `touch /root/nagios-was-here`.\n\n### PoC\nThis PoC shows how the nagios user can use this to create a file inside `/root`.\n```\nnagios@test-vm:/$ sudo /usr/lib64/nagios/plugins/restic-check --repo \u0027|touch /root/nagios-was-here|\u0027\n```\n\n### Impact\nThe vulnerability is a local privilege escalation.\n\n### Fix\n\n#### Switch from | to an array\nRemove the | split functionality. Instead, modify shell_exec to accept either a string or an array of strings. If an array is provided, the commands are chained together like they currently are when using |. If a string is provided, no split should be performed. You could also introduce a separate function like `shell_exec_with_user_input()` which implements this such that the current shell_exec function can stay like it is.\n\nThis leaves the problem that an attacker can still specify arbitrary arguments inside a command. An example for this would be to use the `--repo` argument `sftp://example.com --cache-dir /tmp`, which would lead to the execution of: `restic --json --repo=sftp://example.com --cache-dir /tmp --password-file=None check`. Please note that this example should mainly highlight the problem in general. To prevent the problem, there is either escaping or again array-syntax. Escaping would use `shlex.quote` to place the user provided argument inside quotes and which also escapes everything which needs to be escaped. Using array syntax would mean providing the full command as an array like `[\u0027restic\u0027, \u0027--json\u0027, \u0027--repo\u0027, \u0027sftp://example.com\u0027]`. The array can then be given as-is to `Popen`. With this method, the proposed `shell_exec_with_user_input` would accept an array of array of strings.\n\n### Patches\n\nThe fix follows the array-syntax approach proposed above:\n\n* `linuxfabrik-lib` 5.0.0: `lib.shell.shell_exec()` requires the command as a list of\n arguments (argv) and always runs with `shell=False`. The `|` split functionality, command\n strings and the `shell=` parameter have been removed, so user-provided input can no longer\n break out of a command. `lib.shell.safe_cli_value()` additionally guards positional\n arguments (such as an ssh destination or a ping target) against option injection, and\n `lib.ssh` builds argument lists as well.\n* Linuxfabrik Monitoring Plugins: all plugins assemble their external commands as argv lists\n (commit 23bb570f4). Contained in every release after v5.2.0.",
"id": "GHSA-798h-hpph-m24j",
"modified": "2026-07-06T21:13:38Z",
"published": "2026-07-06T21:13:38Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Linuxfabrik/monitoring-plugins/security/advisories/GHSA-798h-hpph-m24j"
},
{
"type": "PACKAGE",
"url": "https://github.com/Linuxfabrik/monitoring-plugins"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Linuxfabrik Monitoring Plugins have local privilege escalation using embedded command"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.