CVE-2026-24712 Northern.tech CVE debrief

Who should care

System administrators managing CFEngine deployments, security teams responsible for configuration management infrastructure, DevOps engineers utilizing CFEngine for infrastructure automation, and organizations relying on CFEngine for compliance and policy enforcement across their environments.

Technical summary

CVE-2026-24712 is a command injection vulnerability (CWE-77) in Northern.tech CFEngine Enterprise and Community editions. The vulnerability allows unauthenticated remote attackers to inject and execute arbitrary OS commands due to improper input sanitization. The CVSS 3.1 base score of 7.3 reflects network accessibility, low attack complexity, and no required privileges or user interaction, with impacts to confidentiality, integrity, and availability all rated as LOW. Affected versions span multiple release branches: all versions before 3.21.8, versions 3.24.0 through 3.24.2, and version 3.26.0. Remediation requires upgrading to patched versions 3.21.8, 3.24.3, 3.27.0, or later.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade CFEngine Enterprise or Community to version 3.21.8, 3.24.3, 3.27.0, or later to remediate this vulnerability
• Review CFEngine policy configurations for unauthorized modifications if running affected versions
• Monitor system logs for anomalous command execution patterns
• Apply principle of least privilege to CFEngine agent execution contexts
• Subscribe to Northern.tech security advisories for future vulnerability notifications

Evidence notes

CVSS 3.1 score of 7.3 (HIGH) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L indicates network-accessible attack vector with low attack complexity, no privileges required, and no user interaction needed. The vulnerability is classified under CWE-77 (Improper Neutralization of Special Elements used in a Command). CPE criteria confirm affected versions across multiple CFEngine release branches.

Official resources