Summary
Linuxfabrik Monitoring Plugins have local privilege escalation using embedded command
Full technical description
When a check plugin places user provided input inside a command which is passed to shell_exec, an attacker can abuse this to run arbitrary commands. This is mainly dangerous for plugins which are listed in the sudoers file, because this allows an attacker controlling the nagios user to get root privileges.
Details
An example for this is the restic-check plugin, where the --repo argument is placed inside the command argument of shell_exec. As an example, an attacker could use the --repo argument |touch /root/nagios-was-here|. The full restic command is assembled to the string restic --json --repo=|touch /root/nagios-was-here| --password-file= check before it is passed to shell_exec. shell_exec then splits the command up in three parts at the | boundaries and executes the parts separately, which also executes the embedded command touch /root/nagios-was-here.
PoC
This PoC shows how the nagios user can use this to create a file inside /root.
nagios@test-vm:/$ sudo /usr/lib64/nagios/plugins/restic-check --repo '|touch /root/nagios-was-here|'
Switch from | to an array
Remove the | split functionality. Instead, modify shell_exec to accept either a string or an array of strings. If an array is provided, the commands are chained together like they currently are when using |. If a string is provided, no split should be performed. You could also introduce a separate function like shell_exec_with_user_input() which implements this such that the current shell_exec function can stay like it is.
This leaves the problem that an attacker can still specify arbitrary arguments inside a command. An example for this would be to use the --repo argument sftp://example.com --cache-dir /tmp, which would lead to the execution of: restic --json --repo=sftp://example.com --cache-dir /tmp --password-file=None check. Please note that this example should mainly highlight the problem in general. To prevent the problem, there is either escaping or again array-syntax. Escaping would use shlex.quote to place the user provided argument inside quotes and which also escapes everything which needs to be escaped. Using array syntax would mean providing the full command as an array like ['restic', '--json', '--repo', 'sftp://example.com']. The array can then be given as-is to Popen. With this method, the proposed shell_exec_with_user_input would accept an array of array of strings.
Impact
The vulnerability is a local privilege escalation.
Untrusted input reaches a shell command, allowing arbitrary commands to run on the host. Typical impact: code execution in the application's environment.
CVE-2026-55426 has a CVSS score of 7.8 (High). The vector is requires local access, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (5.0.0); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Already deployed Kodem?
See it in your environmentNew to Kodem? Get a demo →Remediation advice
The fix follows the array-syntax approach proposed above:
linuxfabrik-lib5.0.0:lib.shell.shell_exec()requires the command as a list of
arguments (argv) and always runs withshell=False. The|split functionality, command
strings and theshell=parameter have been removed, so user-provided input can no longer
break out of a command.lib.shell.safe_cli_value()additionally guards positional
arguments (such as an ssh destination or a ping target) against option injection, andlib.sshbuilds argument lists as well.- Linuxfabrik Monitoring Plugins: all plugins assemble their external commands as argv lists
(commit 23bb570f4). Contained in every release after v5.2.0.
Frequently Asked Questions
- What is CVE-2026-55426? CVE-2026-55426 is a high-severity OS command injection vulnerability in linuxfabrik-lib (pip), affecting versions < 5.0.0. It is fixed in 5.0.0. Untrusted input reaches a shell command, allowing arbitrary commands to run on the host.
- How severe is CVE-2026-55426? CVE-2026-55426 has a CVSS score of 7.8 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of linuxfabrik-lib are affected by CVE-2026-55426? linuxfabrik-lib (pip) versions < 5.0.0 is affected.
- Is there a fix for CVE-2026-55426? Yes. CVE-2026-55426 is fixed in 5.0.0. Upgrade to this version or later.
- Is CVE-2026-55426 exploitable, and should I be worried? Whether CVE-2026-55426 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-55426 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-55426? Upgrade
linuxfabrik-libto 5.0.0 or later.