CVE-2026-34387

Fleet vulnerable to OS command injection via crafted software package metadata in uninstall scripts

Description

Fleet is open source device management software. Prior to 4.81.1, a command injection vulnerability in Fleet's software installer pipeline allows an attacker to achieve arbitrary code execution as root (macOS/Linux) or SYSTEM (Windows) on managed hosts when an uninstall is triggered for a crafted software package. Version 4.81.1 patches the issue.

INFO

Published Date :

2026-03-27T18:31:27.871Z

Last Modified :

2026-03-27T19:31:54.764Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-34387 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-34387.

URL	Resource
https://github.com/fleetdm/fleet/security/advisories/GHSA-7rhw-5mpv-gp4h

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Attack Requirements

Privileges Required

User Interaction

VS Confidentiality

VS Integrity

VS Availability

SS Confidentiality

SS Integrity

SS Availability