Description
Fleet is open source device management software. Prior to 4.81.1, a command injection vulnerability in Fleet's software installer pipeline allows an attacker to achieve arbitrary code execution as root (macOS/Linux) or SYSTEM (Windows) on managed hosts when an uninstall is triggered for a crafted software package. Version 4.81.1 patches the issue.
Published: 2026-03-27
Score: 5.7 Medium
EPSS: n/a
KEV: No
Impact: Remote code execution on managed hosts
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a command injection that occurs when an uninstall script is processed for a deliberately crafted software package. The pipeline allows arbitrary commands to be executed, giving an attacker root privileges on macOS/Linux or SYSTEM privileges on Windows devices. This translates into complete control over the affected host and a significant breach of confidentiality, integrity, and availability. The weakness is a classic command injection (CWE‑78).

Affected Systems

The affected product is Fleet by fleetdm. Versions prior to 4.81.1 are vulnerable. The issue is found in the software installer module that handles uninstall scripts for managed machines. No other vendors or products are affected according to the advisory.

Risk and Exploitability

The CVSS score of 5.7 indicates medium severity, and although an EPSS score is not available, the vulnerability can be exploited once a crafted package reaches the installer. The weakness allows privileged code execution, so a successful exploit would compromise an entire device. Because a managed host normally executes code from the Fleet agent, an attacker who can upload or trigger a malicious uninstall may gain full control. The vulnerability is not listed in the CISA KEV catalog, suggesting it has not yet been widely exploited in the wild.

Generated by OpenCVE AI on March 27, 2026 at 19:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Fleet to version 4.81.1 or later.
  • Until the upgrade can be performed, avoid triggering uninstalls of packages created by unknown or untrusted sources.
  • Verify that uninstall scripts comply with the expected format and do not contain unexpected command sequences.

Generated by OpenCVE AI on March 27, 2026 at 19:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
Description Fleet is open source device management software. Prior to 4.81.1, a command injection vulnerability in Fleet's software installer pipeline allows an attacker to achieve arbitrary code execution as root (macOS/Linux) or SYSTEM (Windows) on managed hosts when an uninstall is triggered for a crafted software package. Version 4.81.1 patches the issue.
Title Fleet vulnerable to OS command injection via crafted software package metadata in uninstall scripts
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 5.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T19:31:54.764Z

Reserved: 2026-03-27T13:45:29.619Z

Link: CVE-2026-34387

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-27T19:16:43.590

Modified: 2026-03-27T19:16:43.590

Link: CVE-2026-34387

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T20:27:40Z

Weaknesses