Subject: PSA-2026-00004-1: Authenticated Remote Code Execution via shell injection
Advisory date: 2026-01-13
Packages: proxmox-datacenter-manager
Details: Missing separation between options and package name arguments in an apt-get invocation exposed over the API allowed an authenticated attacker with Sys.Modify privileges to inject arbitrary options into the resulting apt-get command line. Such an attacker could inject certain dpkg options that trigger arbitrary code execution as root user.
Only authenticated admin users with relatively powerful Sys.Modify privileges can access the vulnerable API endpoint.
Kevin Joensen <kevin@baldur.dk> of Baldur Security first reported this issue affecting the Proxmox Mail Gateway (PSA-2026-00001-1), our security team expanded the scope to the other projects.
Fixed: proxmox-datacenter-manager >= 1.0.2
References: Advisories PSA-2026-00001-1, PSA-2026-00002-1, and PSA-2026-00003-1 all address similar issues in other Proxmox projects.
Qualys discovered several vulnerabilities in the AppArmor LSM (Linux Security Module) code of the Linux kernel, which are being referred to as "Crackarmor".
All of the vulnerabilities require unprivileged local user access. The impact of these vulnerabilities ranges from denial of service, kernel memory information leak, removing security controls, local privilege escalation to root user to potential container escapes.
Refer to the upstream advisories linked below for more details.
Fixed:
- proxmox-kernel-6.8.12-20-pve(-signed) (Bookworm based releases)
- proxmox-kernel-6.14.11-6-bpo12-pve(-signed) (Bookworm based releases)
- proxmox-kernel-6.14.11-6-pve(-signed) (Trixie based releases)
- proxmox-kernel-6.17.13-2-pve(-signed) (Trixie based releases)
