CVE-2026-34387

Critical

Published: 27 March 2026

Published

27 March 2026

Modified

07 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0013 31.2th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Fleet is open source device management software. Prior to 4.81.1, a command injection vulnerability in Fleet's software installer pipeline allows an attacker to achieve arbitrary code execution as root (macOS/Linux) or SYSTEM (Windows) on managed hosts when an uninstall is…

triggered for a crafted software package. Version 4.81.1 patches the issue.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of identified flaws, directly addressing this command injection vulnerability by mandating upgrades to Fleet version 4.81.1 or later.

SI-10 Information Input Validation good match

prevent

Prevents command injection exploits by validating information inputs, such as crafted software package names or metadata used in Fleet's uninstall pipeline.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Enables proactive discovery of this CVE through regular vulnerability scanning of the Fleet instance, facilitating timely patching.

Security SummaryAI

CVE-2026-34387 is a command injection vulnerability (CWE-78) in the software installer pipeline of Fleet, an open source device management software. It affects versions prior to 4.81.1 and has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, and lack of required privileges or user interaction.

An unauthenticated attacker with network access to a vulnerable Fleet instance can exploit this flaw by triggering an uninstall for a specially crafted software package on managed hosts. Successful exploitation results in arbitrary code execution with root privileges on macOS and Linux hosts or SYSTEM privileges on Windows hosts, potentially enabling full compromise of the managed devices.

The Fleet security advisory at https://github.com/fleetdm/fleet/security/advisories/GHSA-7rhw-5mpv-gp4h confirms that version 4.81.1 fully patches the vulnerability, and users should upgrade to this or later versions to mitigate the issue.

Details

CWE(s): CWE-78

Affected Products

fleetdm

fleet

≤ 4.81.1

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Unauthenticated remote command injection in the public-facing Fleet device management software's installer pipeline enables exploitation of a public-facing application for arbitrary code execution on managed hosts.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/fleetdm/fleet/security/advisories/GHSA-7rhw-5mpv-gp4h
Vendor Advisory · security-advisories@github.com