CVE-2026-34387
Command Injection in Fleet Installer Allows Root/SYSTEM Code Execution
Publication date: 2026-03-27
Last updated on: 2026-04-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fleetdm | fleet | to 4.81.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34387 is a high-severity OS command injection vulnerability in the Fleet device management software installer pipeline affecting versions prior to 4.81.1.
The vulnerability occurs because metadata from uploaded software packagesβsuch as package identifiers and product namesβis directly inserted into auto-generated uninstall shell scripts without proper sanitization.
An attacker can craft a malicious software package with payloads embedded in its metadata. When a Fleet administrator uploads this package and triggers an uninstall on managed hosts (macOS/Linux as root or Windows as SYSTEM), the malicious code executes with elevated privileges, allowing arbitrary code execution.
The attacker does not need Fleet credentials; the attack relies on tricking administrators into uploading the crafted package, potentially through supply-chain attacks, typosquatting, or compromised mirrors.
How can this vulnerability impact me? :
This vulnerability allows an attacker to execute arbitrary code with root (macOS/Linux) or SYSTEM (Windows) privileges on managed hosts.
Such elevated code execution can lead to full system compromise, unauthorized access to sensitive data, disruption of device management operations, and potential lateral movement within the network.
Because the attacker can execute commands as a highly privileged user, the impact includes the possibility of installing malware, stealing data, or disabling security controls.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises from malicious code embedded in uninstall shell scripts generated from software package metadata. Detection involves inspecting uninstall scripts for suspicious or unexpected code injections.
Suggested steps include manually reviewing uninstall scripts on managed hosts for unusual commands or payloads, especially those triggered during uninstall operations.
Specific commands are not provided in the available resources, but typical approaches might include searching uninstall scripts for suspicious strings or unexpected shell commands using tools like grep.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Only upload trusted software packages to Fleet to avoid introducing malicious metadata.
- Thoroughly review package metadata before uploading to ensure it does not contain malicious payloads.
- Manually inspect and edit uninstall scripts generated by Fleet to remove any suspicious or injected code if upgrading immediately is not possible.
- Upgrade Fleet to version 4.81.1 or later, where this vulnerability is patched.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.