Description
Fleet is open source device management software. Prior to 4.81.1, a command injection vulnerability in Fleet's software installer pipeline allows an attacker to achieve arbitrary code execution as root (macOS/Linux) or SYSTEM (Windows) on managed hosts when an uninstall is triggered for a crafted software package. Version 4.81.1 patches the issue.
Published: 2026-03-27
Score: 5.7 Medium
EPSS: 1.3% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Fleet’s installer pipeline contains a command‑injection flaw in uninstall scripts for software packages. A specially crafted package can cause arbitrary shell commands to run with host‑level privileges after the uninstall. On macOS and Linux the code runs as root; on Windows it runs as SYSTEM, giving the attacker full control of the managed device. This is a CWE‑78 vulnerability.

Affected Systems

The flaw affects the open‑source Fleet device‑management platform from fleetdm. Versions prior to 4.81.1 are vulnerable. Any host on which Fleet processes uninstall scripts for a malicious package – including macOS, Linux and Windows devices – is at risk.

Risk and Exploitability

The CVSS base score is 5.7, indicating moderate severity. EPSS is 1 % and the CVE is not listed in CISA’s KEV catalog, so large‑scale exploitation is unlikely but not impossible. The likely attack vector requires an attacker to supply a crafted package to a Fleet deployment and trigger its uninstall, a scenario that could be reached by an internal threat actor with some level of access to the Fleet environment. Successful exploitation would grant the attacker arbitrary privileged code execution on the affected host.

Generated by OpenCVE AI on June 18, 2026 at 09:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Fleet to version 4.81.1 or later, which includes the required fix
  • Remove or revoke any unverified or suspicious software packages from the Fleet repository to eliminate remaining crafted packages
  • If an upgrade cannot be applied immediately, isolate affected hosts and disable the execution of uninstall scripts from untrusted sources until the patch is deployed

Generated by OpenCVE AI on June 18, 2026 at 09:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:fleetdm:fleet:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Fleetdm
Fleetdm fleet
Vendors & Products Fleetdm
Fleetdm fleet

Sat, 28 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
Description Fleet is open source device management software. Prior to 4.81.1, a command injection vulnerability in Fleet's software installer pipeline allows an attacker to achieve arbitrary code execution as root (macOS/Linux) or SYSTEM (Windows) on managed hosts when an uninstall is triggered for a crafted software package. Version 4.81.1 patches the issue.
Title Fleet vulnerable to OS command injection via crafted software package metadata in uninstall scripts
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 5.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Fleetdm Fleet
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T19:31:54.764Z

Reserved: 2026-03-27T13:45:29.619Z

Link: CVE-2026-34387

cve-icon Vulnrichment

Updated: 2026-03-27T19:31:51.060Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T19:16:43.590

Modified: 2026-06-17T10:38:59.600

Link: CVE-2026-34387

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T10:00:16Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')