CVE-2026-34387
Received Received - Intake
Command Injection in Fleet Installer Allows Root/SYSTEM Code Execution

Publication date: 2026-03-27

Last updated on: 2026-04-07

Assigner: GitHub, Inc.

Description
Fleet is open source device management software. Prior to 4.81.1, a command injection vulnerability in Fleet's software installer pipeline allows an attacker to achieve arbitrary code execution as root (macOS/Linux) or SYSTEM (Windows) on managed hosts when an uninstall is triggered for a crafted software package. Version 4.81.1 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-27
Last Modified
2026-04-07
Generated
2026-06-16
AI Q&A
2026-03-28
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34387
EUVD
EUVD-2026-16758
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
fleetdm fleet to 4.81.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-34387 is a high-severity OS command injection vulnerability in the Fleet device management software installer pipeline affecting versions prior to 4.81.1.

The vulnerability occurs because metadata from uploaded software packagesβ€”such as package identifiers and product namesβ€”is directly inserted into auto-generated uninstall shell scripts without proper sanitization.

An attacker can craft a malicious software package with payloads embedded in its metadata. When a Fleet administrator uploads this package and triggers an uninstall on managed hosts (macOS/Linux as root or Windows as SYSTEM), the malicious code executes with elevated privileges, allowing arbitrary code execution.

The attacker does not need Fleet credentials; the attack relies on tricking administrators into uploading the crafted package, potentially through supply-chain attacks, typosquatting, or compromised mirrors.

Impact Analysis

This vulnerability allows an attacker to execute arbitrary code with root (macOS/Linux) or SYSTEM (Windows) privileges on managed hosts.

Such elevated code execution can lead to full system compromise, unauthorized access to sensitive data, disruption of device management operations, and potential lateral movement within the network.

Because the attacker can execute commands as a highly privileged user, the impact includes the possibility of installing malware, stealing data, or disabling security controls.

Detection Guidance

This vulnerability arises from malicious code embedded in uninstall shell scripts generated from software package metadata. Detection involves inspecting uninstall scripts for suspicious or unexpected code injections.

Suggested steps include manually reviewing uninstall scripts on managed hosts for unusual commands or payloads, especially those triggered during uninstall operations.

Specific commands are not provided in the available resources, but typical approaches might include searching uninstall scripts for suspicious strings or unexpected shell commands using tools like grep.

Mitigation Strategies

Immediate mitigation steps include:

  • Only upload trusted software packages to Fleet to avoid introducing malicious metadata.
  • Thoroughly review package metadata before uploading to ensure it does not contain malicious payloads.
  • Manually inspect and edit uninstall scripts generated by Fleet to remove any suspicious or injected code if upgrading immediately is not possible.
  • Upgrade Fleet to version 4.81.1 or later, where this vulnerability is patched.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34387. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart