Subject: PSA-2026-00004-1: Authenticated Remote Code Execution via shell injection
Advisory date: 2026-01-13
Packages: proxmox-datacenter-manager
Details: Missing separation between options and package name arguments in an
apt-get invocation exposed over the API allowed an authenticated attacker with Sys.Modify privileges to inject arbitrary options into the resulting apt-get command line. Such an attacker could inject certain dpkg options that trigger arbitrary code execution as
root user.
Only authenticated admin users with relatively powerful Sys.Modify privileges can access the vulnerable API endpoint.
Kevin Joensen <
kevin@baldur.dk> of Baldur Security first reported this issue affecting the Proxmox Mail Gateway (PSA-2026-00001-1), our security team expanded the scope to the other projects.
Fixed: proxmox-datacenter-manager >= 1.0.2
References: Advisories PSA-2026-00001-1, PSA-2026-00002-1, and PSA-2026-00003-1 all address similar issues in other Proxmox projects.
