Auth bypass in Coreos Zincati

CVE-2025-27512

Zincati is an auto-update agent for Fedora CoreOS hosts. Zincati ships a polkit rule which allows the `zincati` system user to use the actions `org.projectatomic.rpmostree1.deploy` to deploy updates to the system and `org.projectatomic.rpm…

EPSS: 0.001 (17.2th percentile) — read the EPSS interpretation.

Affected products

Coreos Zincati — versions >= 0.0.24, < 0.0.30

Weakness classification (CWE)

References

https://github.com/coreos/zincati/security/advisories/GHSA-w6fv-6gcc-x825 (x_refsource_CONFIRM)
https://github.com/coreos/zincati/commit/01d8e89f799e6ba21bdf7dc668abce23bd0d8f78 (x_refsource_MISC)
https://github.com/coreos/zincati/commit/28a43aa2c1edda091ba659677d73c13e6e3ea99d (x_refsource_MISC)
https://github.com/coreos/zincati/releases/tag/v0.0.24 (x_refsource_MISC)
https://github.com/coreos/zincati/releases/tag/v0.0.30 (x_refsource_MISC)