Cyber Posture

CVE-2026-26009

Critical

Published: 10 February 2026

Published
10 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0039 60.0th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Catalyst is a platform built for enterprise game server hosts, game communities, and billing panel integrations. Install scripts defined in server templates execute directly on the host operating system as root via bash -c, with no sandboxing or containerization. Any…

more

user with template.create or template.update permission can define arbitrary shell commands that achieve full root-level remote code execution on every node machine in the cluster. This vulnerability is fixed in commit 11980aaf3f46315b02777f325ba02c56b110165d.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Validates and sanitizes user-defined install scripts prior to execution to directly prevent OS command injection vulnerabilities like this one.

AC-6 Least Privilege good match
prevent

Enforces least privilege by ensuring install scripts execute without root privileges, comprehensively limiting the impact of any injected commands.

CM-5 Access Restrictions for Change partial match
prevent

Restricts access to template.create and template.update functions to authorized personnel only, reducing the attack surface for injecting malicious scripts.

Security SummaryAI

CVE-2026-26009 is an OS command injection vulnerability (CWE-78) in the Catalyst platform, which is designed for enterprise game server hosts, game communities, and billing panel integrations. The issue stems from install scripts defined in server templates that execute directly on the host operating system as root via bash -c, without any sandboxing or containerization. This allows arbitrary commands to be injected and run with root privileges. The vulnerability has a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) and was published on 2026-02-10.

An attacker with template.create or template.update permissions can exploit this vulnerability by defining malicious shell commands in a server template. This leads to full root-level remote code execution on every node machine in the Catalyst cluster, enabling complete compromise of the host systems over the network with low complexity and no user interaction required.

The vulnerability is addressed in Catalyst commit 11980aaf3f46315b02777f325ba02c56b110165d, as detailed in the project's GitHub security advisory (GHSA-xv5r-cpcw-8wr3). Security practitioners should update to this commit or later to mitigate the issue.

Details

CWE(s)
CWE-78

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

CVE enables remote exploitation of a public-facing application via OS command injection in server templates, allowing arbitrary bash command execution as root (T1190, T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References