Description
Fleet is open source device management software. Prior to 4.81.1, a command injection vulnerability in Fleet's software installer pipeline allows an attacker to achieve arbitrary code execution as root (macOS/Linux) or SYSTEM (Windows) on managed hosts when an uninstall is triggered for a crafted software package. Version 4.81.1 patches the issue.
Published: 2026-03-27
Score: 5.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary code execution
Action: Apply Patch
AI Analysis

Impact

Fleet’s installer pipeline contains a command‑injection flaw in uninstall scripts for software packages. A specially crafted package can cause arbitrary shell commands to run with host‑level privileges after the uninstall completes. On macOS and Linux the code runs as root; on Windows it runs as SYSTEM, giving the attacker full control of the managed device. This is a CWE‑78 vulnerability.

Affected Systems

The flaw affects the open‑source Fleet device‑management platform from fleetdm. Versions prior to 4.81.1 are vulnerable. Any host on which Fleet processes uninstall scripts for a malicious package – including macOS, Linux and Windows devices – is at risk.

Risk and Exploitability

The CVSS base score is 5.7, indicating moderate severity. EPSS is below 1 % and the CVE is not listed in CISA’s KEV catalog, so large‑scale exploitation is unlikely but not impossible. The likely attack vector requires an attacker to supply a crafted package to a Fleet deployment and trigger its uninstall, a scenario that could be reached by an internal threat actor with some level of access to the Fleet environment. Successful exploitation would grant the attacker arbitrary privileged code execution on the affected host.

Generated by OpenCVE AI on April 7, 2026 at 23:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply Fleet version 4.81.1 or newer

Generated by OpenCVE AI on April 7, 2026 at 23:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:fleetdm:fleet:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Fleetdm
Fleetdm fleet
Vendors & Products Fleetdm
Fleetdm fleet

Sat, 28 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
Description Fleet is open source device management software. Prior to 4.81.1, a command injection vulnerability in Fleet's software installer pipeline allows an attacker to achieve arbitrary code execution as root (macOS/Linux) or SYSTEM (Windows) on managed hosts when an uninstall is triggered for a crafted software package. Version 4.81.1 patches the issue.
Title Fleet vulnerable to OS command injection via crafted software package metadata in uninstall scripts
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 5.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Fleetdm Fleet
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T19:31:54.764Z

Reserved: 2026-03-27T13:45:29.619Z

Link: CVE-2026-34387

cve-icon Vulnrichment

Updated: 2026-03-27T19:31:51.060Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T19:16:43.590

Modified: 2026-04-07T21:15:54.230

Link: CVE-2026-34387

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T20:01:08Z

Weaknesses