{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34387", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-27T13:45:29.619Z", "datePublished": "2026-03-27T18:31:27.871Z", "dateUpdated": "2026-03-27T19:31:54.764Z"}, "containers": {"cna": {"title": "Fleet vulnerable to OS command injection via crafted software package metadata in uninstall scripts", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U", "version": "4.0"}}], "references": [{"name": "https://github.com/fleetdm/fleet/security/advisories/GHSA-7rhw-5mpv-gp4h", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/fleetdm/fleet/security/advisories/GHSA-7rhw-5mpv-gp4h"}], "affected": [{"vendor": "fleetdm", "product": "fleet", "versions": [{"version": "< 4.81.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T18:31:27.871Z"}, "descriptions": [{"lang": "en", "value": "Fleet is open source device management software. Prior to 4.81.1, a command injection vulnerability in Fleet's software installer pipeline allows an attacker to achieve arbitrary code execution as root (macOS/Linux) or SYSTEM (Windows) on managed hosts when an uninstall is triggered for a crafted software package. Version 4.81.1 patches the issue."}], "source": {"advisory": "GHSA-7rhw-5mpv-gp4h", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T19:31:45.614382Z", "id": "CVE-2026-34387", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T19:31:54.764Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Fleet is open source device management software. Prior to 4.81.1, a command injection vulnerability in Fleet's software installer pipeline allows an attacker to achieve arbitrary code execution as root (macOS/Linux) or SYSTEM (Windows) on managed hosts when an uninstall is triggered for a crafted software package. Version 4.81.1 patches the issue."}], "id": "CVE-2026-34387", "lastModified": "2026-03-27T19:16:43.590", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T19:16:43.590", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/fleetdm/fleet/security/advisories/GHSA-7rhw-5mpv-gp4h"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-27T19:20:16.641486+00:00", "value": {"mitigation_remediation": ["Upgrade Fleet to version 4.81.1 or later.", "Until the upgrade can be performed, avoid triggering uninstalls of packages created by unknown or untrusted sources.", "Verify that uninstall scripts comply with the expected format and do not contain unexpected command sequences."], "summary": {"action": "Immediate Patch", "impact": "Remote code execution on managed hosts"}, "threat_synthesis": {"affected_systems": "The affected product is Fleet by fleetdm. Versions prior to 4.81.1 are vulnerable. The issue is found in the software installer module that handles uninstall scripts for managed machines. No other vendors or products are affected according to the advisory.", "description_and_impact": "The vulnerability is a command injection that occurs when an uninstall script is processed for a deliberately crafted software package. The pipeline allows arbitrary commands to be executed, giving an attacker root privileges on macOS/Linux or SYSTEM privileges on Windows devices. This translates into complete control over the affected host and a significant breach of confidentiality, integrity, and availability. The weakness is a classic command injection (CWE\u201178).", "risk_and_exploitability": "The CVSS score of 5.7 indicates medium severity, and although an EPSS score is not available, the vulnerability can be exploited once a crafted package reaches the installer. The weakness allows privileged code execution, so a successful exploit would compromise an entire device. Because a managed host normally executes code from the Fleet agent, an attacker who can upload or trigger a malicious uninstall may gain full control. The vulnerability is not listed in the CISA KEV catalog, suggesting it has not yet been widely exploited in the wild."}}}}, "created": "2026-03-27T20:27:40.312658+00:00", "updated": "2026-03-27T20:27:40.312687+00:00", "vendors": []}