CVE-2026-34387 MEDIUM

CVE-2026-34387: Fleet vulnerable to OS command injection via crafted software package metadata in uninstall scripts

Vendor Fleetdm
Product fleet
Weakness CWE-78
Published March 27, 2026
Last update March 27, 2026

CVSS base score

5.7/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U

What the vulnerability does

01Description

Fleet is open source device management software. Prior to 4.81.1, a command injection vulnerability in Fleet's software installer pipeline allows an attacker to achieve arbitrary code execution as root (macOS/Linux) or SYSTEM (Windows) on managed hosts when an uninstall is triggered for a crafted software package. Version 4.81.1 patches the issue.

Key dates

02Disclosure timeline

March 27, 2026 CVE published
March 27, 2026 Record updated