CVE-2026-27208

Critical

Published: 24 February 2026

Published

24 February 2026

Modified

26 February 2026

KEV Added

—

Patch

—

CVSS Score 9.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:H

EPSS Score 0.0019 40.3th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Description

bleon-ethical/api-gateway-deploy provides API gateway deployment. Version 1.0.0 is vulnerable to an attack chain involving OS Command Injection and Privilege Escalation. This allows an attacker to execute arbitrary commands with root privileges within the container, potentially leading to a container escape…

and unauthorized infrastructure modifications. This is fixed in version 1.0.1 by implementing strict input sanitization and secure delimiters in entrypoint.sh, enforcing a non-root user (appuser) in the Dockerfile, and establishing mandatory security quality gates.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly addresses OS command injection by requiring strict validation and sanitization of inputs to prevent arbitrary command execution.

AC-6 Least Privilege good match

prevent

Mitigates privilege escalation by enforcing least privilege, such as running container processes as a non-root user like appuser instead of root.

CM-6 Configuration Settings good match

prevent

Ensures secure configuration settings in the Dockerfile and entrypoint.sh, including secure delimiters and mandatory security quality gates.

Security SummaryAI

CVE-2026-27208 affects version 1.0.0 of bleon-ethical/api-gateway-deploy, an API gateway deployment tool. The vulnerability is an attack chain combining OS command injection (CWE-78, CWE-88) with privilege escalation (CWE-250, CWE-269), stemming from improper input handling and execution of commands as root within the container. It carries a CVSS v3.1 base score of 9.2 (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:H), highlighting its critical severity due to high impact on confidentiality, availability, and scope change.

A local attacker with no privileges required can exploit this vulnerability with low complexity and no user interaction. Successful exploitation enables execution of arbitrary commands with root privileges inside the container, potentially leading to container escape and unauthorized modifications to the underlying infrastructure.

The vulnerability is addressed in version 1.0.1 through strict input sanitization, secure delimiters in entrypoint.sh, enforcement of a non-root user (appuser) in the Dockerfile, and mandatory security quality gates. Details are available in the GitHub security advisory (GHSA-chh5-w73q-4gmm) and release notes at the Security tag.

Details

CWE(s): CWE-78 CWE-88 CWE-250 CWE-269

Affected Products

bleon-ethical

api-gateway-deploy

1.0.0

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

CVE enables OS command injection for Unix Shell execution (T1059.004) and privilege escalation to root privileges inside the container (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/bleon-ethical/api-gateway-deploy/releases/tag/Security
Release Notes · security-advisories@github.com
https://github.com/bleon-ethical/api-gateway-deploy/security/advisories/GHSA-chh5-w73q-4gmm
Vendor Advisory · security-advisories@github.com