Description
Fleet is open source device management software. Prior to version 4.81.0, a vulnerability in Fleet's software installer pipeline could allow a crafted software package to execute arbitrary commands as root (macOS/Linux) or SYSTEM (Windows) on managed endpoints when an uninstall is triggered. When a software package (.pkg, .deb, .rpm, .exe, or .msi) is uploaded to Fleet, metadata is extracted from the package binary and used to generate uninstall scripts. In affected versions, this metadata is not properly sanitized before being included in the generated scripts. A specially crafted package containing malicious values in its metadata fields could result in unintended command execution when the uninstall script runs on managed endpoints. Version 4.81.0 contains a patch. If an immediate upgrade is not possible, administrators should avoid uploading software packages obtained from untrusted or unverified sources. Additionally, administrators can manually inspect and edit auto-generated uninstall scripts before deployment.
Published: 2026-05-14
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Fleet's installer pipeline incorrectly incorporates untrusted metadata into uninstall scripts. A malicious package can embed crafted values that cause the generated script to execute arbitrary commands when a user triggers an uninstall. The script runs with the system account on the managed endpoint (root on macOS/Linux, SYSTEM on Windows), allowing an attacker to gain full control of the device. This flaw is an instance of OS command injection (CWE‑78).

Affected Systems

The flaw affects customers using Fleet open‑source device management software prior to version 4.81.0. Both macOS and Linux endpoints are vulnerable when uninstalls are performed, and Windows devices are impacted if the uninstall script is executed under the SYSTEM account. Any installation of software packages with unsafe metadata—such as .pkg, .deb, .rpm, .exe, or .msi files—can trigger the vulnerability in these affected versions.

Risk and Exploitability

The CVSS v3 score of 6 indicates a moderate severity. The EPSS value is unavailable, but the vulnerability is not listed in CISA's KEV catalog, suggesting no known widespread exploitation. An attacker would need to craft a malicious package and upload it to a Fleet server that manages the target endpoint. Once the uninstall is triggered—either manually, through an update cycle, or via the automatic uninstall script—the attacker’s commands execute with elevated privileges. Because the attack requires a managed device to undergo an uninstall, the attack surface is limited to environments using Fleet before the fixed release. Until an upgrade is applied, administrators should block the upload of packages from untrusted sources and review or edit generated uninstall scripts.

Generated by OpenCVE AI on May 14, 2026 at 20:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Fleet to version 4.81.0 or later
  • Avoid uploading software packages sourced from untrusted or unverified origins until the upgrade is completed
  • Manually review and edit any automatically generated uninstall scripts before deployment

Generated by OpenCVE AI on May 14, 2026 at 20:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9vcr-g537-3w5v Fleet vulnerable to OS command injection in software packages
History

Fri, 15 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Fleetdm
Fleetdm fleet
Vendors & Products Fleetdm
Fleetdm fleet

Thu, 14 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description Fleet is open source device management software. Prior to version 4.81.0, a vulnerability in Fleet's software installer pipeline could allow a crafted software package to execute arbitrary commands as root (macOS/Linux) or SYSTEM (Windows) on managed endpoints when an uninstall is triggered. When a software package (.pkg, .deb, .rpm, .exe, or .msi) is uploaded to Fleet, metadata is extracted from the package binary and used to generate uninstall scripts. In affected versions, this metadata is not properly sanitized before being included in the generated scripts. A specially crafted package containing malicious values in its metadata fields could result in unintended command execution when the uninstall script runs on managed endpoints. Version 4.81.0 contains a patch. If an immediate upgrade is not possible, administrators should avoid uploading software packages obtained from untrusted or unverified sources. Additionally, administrators can manually inspect and edit auto-generated uninstall scripts before deployment.
Title Fleet vulnerable to OS command injection in software packages
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Fleetdm Fleet
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-15T14:15:18.440Z

Reserved: 2026-02-11T19:56:24.812Z

Link: CVE-2026-26191

cve-icon Vulnrichment

Updated: 2026-05-15T14:15:12.248Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-14T20:17:02.173

Modified: 2026-05-14T21:24:23.440

Link: CVE-2026-26191

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T20:30:04Z

Weaknesses