CVE-2026-34387 | THREATINT

Description

Fleet is open source device management software. Prior to 4.81.1, a command injection vulnerability in Fleet's software installer pipeline allows an attacker to achieve arbitrary code execution as root (macOS/Linux) or SYSTEM (Windows) on managed hosts when an uninstall is triggered for a crafted software package. Version 4.81.1 patches the issue.

PUBLISHED Reserved 2026-03-27 | Published 2026-03-27 | Updated 2026-03-27 | Assigner GitHub_M

MEDIUM: 5.7CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U

Problem types

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

< 4.81.1

affected

References

github.com/.../fleet/security/advisories/GHSA-7rhw-5mpv-gp4h

cve.org (CVE-2026-34387)

nvd.nist.gov (CVE-2026-34387)

Download JSON