OmniSync's Diagnostic Disaster: A Trivial Command Injection for the Modern Age
Jan 1, 2026·10 min read·7 visits
Executive Summary (TL;DR)
A high-impact, unauthenticated RCE in OmniSync Data Orchestrator's diagnostics API. Attackers can execute shell commands by simply crafting a malicious 'hostname' in a request to the '/api/v1/diagnostics/ping' endpoint. Patch immediately or face the consequences.
A critical OS command injection vulnerability exists in the diagnostics API endpoint of OmniSync Data Orchestrator versions 3.0.0 through 3.5.1. An unauthenticated remote attacker can inject arbitrary shell commands by manipulating the 'hostname' parameter of the '/api/v1/diagnostics/ping' endpoint. The vulnerability stems from the direct concatenation of user-supplied input into a string that is later executed by the system shell, leading to Remote Code Execution (RCE) with the privileges of the OmniSync service account.
Technical Appendix
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
OmniSync Data Orchestrator OmniSync Inc. | >= 3.0.0, <= 3.5.1 | 3.5.2 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-78 |
| CWE Name | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| CVSS v3.1 Score | 9.8 (Critical) |
| Exploit Status | Weaponized |
MITRE ATT&CK Mapping
Known Exploits & Detection
Vulnerability Timeline
Subscribe to updates
Get the latest CVE analysis reports delivered to your inbox.