CVE-2026-34387
CRITICALFleet vulnerable to OS command injection via crafted software package metadata in uninstall scripts
Title source: cnaDescription
Fleet is open source device management software. Prior to 4.81.1, a command injection vulnerability in Fleet's software installer pipeline allows an attacker to achieve arbitrary code execution as root (macOS/Linux) or SYSTEM (Windows) on managed hosts when an uninstall is triggered for a crafted software package. Version 4.81.1 patches the issue.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/fleetdm/fleet/security/advisories/GHSA-7rhw-5mpv-gp4h
Scores
CVSS v3
9.8
EPSS
0.0128
EPSS Percentile
66.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-78
Status
published
Products (1)
fleetdm/fleet
< 4.81.1 (2 CPE variants)
Published
Mar 27, 2026
Tracked Since
Mar 29, 2026