CVE-2026-34387
Published: 27 March 2026
Summary
CVE-2026-34387 is a critical-severity OS Command Injection (CWE-78) vulnerability in Fleetdm Fleet. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation of identified flaws, directly addressing this command injection vulnerability by mandating upgrades to Fleet version 4.81.1 or later.
Prevents command injection exploits by validating information inputs, such as crafted software package names or metadata used in Fleet's uninstall pipeline.
Enables proactive discovery of this CVE through regular vulnerability scanning of the Fleet instance, facilitating timely patching.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote command injection in the public-facing Fleet device management software's installer pipeline enables exploitation of a public-facing application for arbitrary code execution on managed hosts.
NVD Description
Fleet is open source device management software. Prior to 4.81.1, a command injection vulnerability in Fleet's software installer pipeline allows an attacker to achieve arbitrary code execution as root (macOS/Linux) or SYSTEM (Windows) on managed hosts when an uninstall is…
more
triggered for a crafted software package. Version 4.81.1 patches the issue.
Deeper analysisAI
CVE-2026-34387 is a command injection vulnerability (CWE-78) in the software installer pipeline of Fleet, an open source device management software. It affects versions prior to 4.81.1 and has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, and lack of required privileges or user interaction.
An unauthenticated attacker with network access to a vulnerable Fleet instance can exploit this flaw by triggering an uninstall for a specially crafted software package on managed hosts. Successful exploitation results in arbitrary code execution with root privileges on macOS and Linux hosts or SYSTEM privileges on Windows hosts, potentially enabling full compromise of the managed devices.
The Fleet security advisory at https://github.com/fleetdm/fleet/security/advisories/GHSA-7rhw-5mpv-gp4h confirms that version 4.81.1 fully patches the vulnerability, and users should upgrade to this or later versions to mitigate the issue.
Details
- CWE(s)