CVE-2026-34387

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-34387

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-34387.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-34387

Aliases

GHSA-7rhw-5mpv-gp4h

Published

2026-03-27T18:31:27.871Z

Modified

2026-04-10T05:43:02.130007Z

Severity

5.7 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U CVSS Calculator

Summary

Fleet vulnerable to OS command injection via crafted software package metadata in uninstall scripts

Details

Fleet is open source device management software. Prior to 4.81.1, a command injection vulnerability in Fleet's software installer pipeline allows an attacker to achieve arbitrary code execution as root (macOS/Linux) or SYSTEM (Windows) on managed hosts when an uninstall is triggered for a crafted software package. Version 4.81.1 patches the issue.

Database specific

{
    "cwe_ids": [
        "CWE-78"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34387.json"
}

References

Affected packages

Git / github.com/fleetdm/fleet

Affected ranges

Type

GIT

Repo

https://github.com/fleetdm/fleet

Events

Introduced

Fixed

729c324074c34d33e7f039991bdad05cef6c3b90

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "4.81.1"
        }
    ]
}

Affected versions

1.*

1.0.0

1.0.0-rc1

1.0.0-rc2

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

2.*

2.0.0

2.0.0-rc1

2.0.0-rc2

2.0.0-rc3

2.0.0-rc4

2.0.0-rc5

2.0.1

2.0.2

2.1.0

2.1.1

2.1.2

2.2.0

2.3.0

2.4.0

2.5.0

2.6.0

3.*

3.0.0

3.1.0

3.10.0

3.10.1

3.11.0

3.12.0

3.13.0

3.2.0

3.3.0

3.4.0

3.5.0

3.5.1

3.6.0

3.7.0

3.7.1

3.7.2

3.7.3

3.8.0

3.9.0

fleet-v4.*

fleet-v4.10.0

fleet-v4.11.0

fleet-v4.12.0

fleet-v4.13.0

fleet-v4.14.0

fleet-v4.15.0

fleet-v4.16.0

fleet-v4.17.0

fleet-v4.18.0

fleet-v4.19.0

fleet-v4.2.0

fleet-v4.2.2

fleet-v4.20.0

fleet-v4.22.0

fleet-v4.23.0

fleet-v4.24.0

fleet-v4.25.0

fleet-v4.26.0

fleet-v4.27.0

fleet-v4.28.0

fleet-v4.29.0

fleet-v4.3.0

fleet-v4.3.1

fleet-v4.30.0

fleet-v4.31.0

fleet-v4.32.0

fleet-v4.33.0

fleet-v4.34.0

fleet-v4.35.0

fleet-v4.36.0

fleet-v4.37.0

fleet-v4.38.0

fleet-v4.39.0

fleet-v4.4.0

fleet-v4.40.0

fleet-v4.41.0

fleet-v4.43.0

fleet-v4.45.0

fleet-v4.47.0

fleet-v4.48.0

fleet-v4.49.0

fleet-v4.5.0

fleet-v4.50.0

fleet-v4.51.0

fleet-v4.6.0

fleet-v4.6.1

fleet-v4.7.0

fleet-v4.8.0

fleet-v4.81.0

Other

fleetctl-docker-deps-20260113

fleetctl-docker-deps-20260129

orbit-test-build

fleetctl-docker-deps-v4.*

fleetctl-docker-deps-v4.60.0

fleetctl-docker-deps-v4.76.1

fleetd-android-v1.*

fleetd-android-v1.0.0

fleetd-chrome-v1.*

fleetd-chrome-v1.1.0-beta

fleetd-chrome-v1.1.1-beta

fleetd-chrome-v1.1.3

fleetd-chrome-v1.1.3-beta

fleetd-chrome-v1.2.0

fleetd-chrome-v1.2.0-beta

fleetd-chrome-v1.2.1-beta

fleetd-chrome-v1.3.0

fleetd-chrome-v1.3.1

orbit-v0.*

orbit-v0.0.11

orbit-v0.0.12

orbit-v0.0.13

orbit-v0.0.4

orbit-v0.0.5

orbit-v0.0.6

orbit-v0.0.7

orbit-v0.0.9

orbit-v1.*

orbit-v1.0.0

orbit-v1.1.0

orbit-v1.10.0

orbit-v1.11.0

orbit-v1.12.0

orbit-v1.12.1

orbit-v1.13.0

orbit-v1.14.0

orbit-v1.15.0

orbit-v1.16.0

orbit-v1.16.0-2

orbit-v1.17.0

orbit-v1.18.0-RC

orbit-v1.18.2

orbit-v1.18.3

orbit-v1.2.0-rc1

orbit-v1.20.0

orbit-v1.3.0

orbit-v1.3.0-rc

orbit-v1.4.0

orbit-v1.4.0-rc

orbit-v1.4.1

orbit-v1.41.0

orbit-v1.42.0

orbit-v1.43.0

orbit-v1.45.0

orbit-v1.48.0

orbit-v1.49.0

orbit-v1.5.0

orbit-v1.50.0

orbit-v1.51.0

orbit-v1.7.0

orbit-v1.8.0

orbit-v1.9.0

orbit-v1.9.1

rc-fleetctl-test-v4.*

rc-fleetctl-test-v4.63.0

tf-mod-addon-bfldf-v1.*

tf-mod-addon-bfldf-v1.1.0

tf-mod-addon-byo-file-carving-target-account-v1.*

tf-mod-addon-byo-file-carving-target-account-v1.0.0

tf-mod-addon-byo-file-carving-target-account-v1.1.0

tf-mod-addon-byo-file-carving-v1.*

tf-mod-addon-byo-file-carving-v1.0.0

tf-mod-addon-byo-file-carving-v1.1.0

tf-mod-addon-byo-firehose-logging-destination-firehose-v1.*

tf-mod-addon-byo-firehose-logging-destination-firehose-v1.0.0

tf-mod-addon-byo-firehose-logging-destination-firehose-v1.1.0

tf-mod-addon-byo-firehose-logging-destination-firehose-v2.*

tf-mod-addon-byo-firehose-logging-destination-firehose-v2.0.0

tf-mod-addon-byo-firehose-logging-destination-firehose-v2.0.1

tf-mod-addon-byo-firehose-logging-destination-firehose-v2.0.2

tf-mod-addon-byo-firehose-logging-destination-firehose-v2.0.3

tf-mod-addon-byo-firehose-logging-destination-target-account-v1.*

tf-mod-addon-byo-firehose-logging-destination-target-account-v1.0.0

tf-mod-addon-byo-firehose-logging-destination-target-account-v1.1.0

tf-mod-addon-byo-kinesis-logging-destination-kinesis-v1.*

tf-mod-addon-byo-kinesis-logging-destination-kinesis-v1.0.0

tf-mod-addon-byo-kinesis-logging-destination-kinesis-v1.0.1

tf-mod-addon-byo-kinesis-logging-destination-target-account-v1.*

tf-mod-addon-byo-kinesis-logging-destination-target-account-v1.0.0

tf-mod-addon-external-vuln-scans-v1.*

tf-mod-addon-external-vuln-scans-v1.0.0

tf-mod-addon-external-vuln-scans-v2.*

tf-mod-addon-external-vuln-scans-v2.0.0

tf-mod-addon-external-vuln-scans-v2.0.1

tf-mod-addon-external-vuln-scans-v2.0.2

tf-mod-addon-external-vuln-scans-v2.1.0

tf-mod-addon-external-vuln-scans-v2.2.0

tf-mod-addon-geolite2-v1.*

tf-mod-addon-geolite2-v1.0.0

tf-mod-addon-logging-alb-v1.*

tf-mod-addon-logging-alb-v1.0.0

tf-mod-addon-logging-alb-v1.0.1

tf-mod-addon-logging-alb-v1.0.2

tf-mod-addon-logging-alb-v1.1.0

tf-mod-addon-logging-alb-v1.1.1

tf-mod-addon-logging-alb-v1.2.0

tf-mod-addon-logging-destination-firehose-v1.*

tf-mod-addon-logging-destination-firehose-v1.0.0

tf-mod-addon-logging-destination-firehose-v1.1.0

tf-mod-addon-logging-destination-firehose-v1.1.1

tf-mod-addon-mdm-v1.*

tf-mod-addon-mdm-v1.0.0

tf-mod-addon-mdm-v1.1.0

tf-mod-addon-mdm-v1.2.0

tf-mod-addon-mdm-v1.2.1

tf-mod-addon-mdm-v1.2.2

tf-mod-addon-mdm-v1.3.0

tf-mod-addon-mdm-v1.4.0

tf-mod-addon-mdm-v1.4.1

tf-mod-addon-mdm-v1.5.0

tf-mod-addon-mdm-v2.*

tf-mod-addon-mdm-v2.0.0

tf-mod-addon-mdmproxy-v1.*

tf-mod-addon-mdmproxy-v1.0.0

tf-mod-addon-mdmproxy-v1.0.1

tf-mod-addon-migrations-v1.*

tf-mod-addon-migrations-v1.0.0

tf-mod-addon-migrations-v2.*

tf-mod-addon-migrations-v2.0.0

tf-mod-addon-migrations-v2.0.1

tf-mod-addon-monitoring-v1.*

tf-mod-addon-monitoring-v1.0.0

tf-mod-addon-monitoring-v1.1.0

tf-mod-addon-monitoring-v1.1.1

tf-mod-addon-monitoring-v1.1.2

tf-mod-addon-monitoring-v1.1.3

tf-mod-addon-monitoring-v1.2.0

tf-mod-addon-monitoring-v1.3.0

tf-mod-addon-monitoring-v1.4.0

tf-mod-addon-monitoring-v1.4.1

tf-mod-addon-monitoring-v1.5.0

tf-mod-addon-monitoring-v1.5.1

tf-mod-addon-osquery-carve-split-account-osquery-carve-v1.*

tf-mod-addon-osquery-carve-split-account-osquery-carve-v1.0.0

tf-mod-addon-osquery-carve-split-account-osquery-carve-v1.1.0

tf-mod-addon-osquery-carve-split-account-split-account-v1.*

tf-mod-addon-osquery-carve-split-account-split-account-v1.0.0

tf-mod-addon-osquery-carve-split-account-split-account-v1.1.0

tf-mod-addon-osquery-carve-v1.*

tf-mod-addon-osquery-carve-v1.0.0

tf-mod-addon-osquery-carve-v1.0.1

tf-mod-addon-osquery-carve-v1.1.0

tf-mod-addon-osquery-perf-v1.*

tf-mod-addon-osquery-perf-v1.0.0

tf-mod-addon-saml-auth-proxy-v1.*

tf-mod-addon-saml-auth-proxy-v1.0.0

tf-mod-addon-saml-auth-proxy-v1.1.0

tf-mod-addon-saml-auth-proxy-v1.2.0

tf-mod-addon-saml-auth-proxy-v1.3.0

tf-mod-addon-ses-v1.*

tf-mod-addon-ses-v1.0.0

tf-mod-addon-ses-v1.1.0

tf-mod-addon-ses-v1.2.0

tf-mod-addon-vuln-processing-v1.*

tf-mod-addon-vuln-processing-v1.0.0

tf-mod-addon-vuln-processing-v1.1.0

tf-mod-addon-waf-alb-v1.*

tf-mod-addon-waf-alb-v1.0.0

tf-mod-addon-waf-alb-v2.*

tf-mod-addon-waf-alb-v2.0.0

tf-mod-byo-db-v1.*

tf-mod-byo-db-v1.0.0

tf-mod-byo-db-v1.1.0

tf-mod-byo-db-v1.2.0

tf-mod-byo-db-v1.3.0

tf-mod-byo-db-v1.3.1

tf-mod-byo-db-v1.3.2

tf-mod-byo-db-v1.4.0

tf-mod-byo-db-v1.5.0

tf-mod-byo-db-v1.5.1

tf-mod-byo-db-v1.6.0

tf-mod-byo-db-v1.7.0

tf-mod-byo-db-v1.7.1

tf-mod-byo-db-v1.8.0

tf-mod-byo-db-v1.9.0

tf-mod-byo-ecs-v1.*

tf-mod-byo-ecs-v1.0.0

tf-mod-byo-ecs-v1.1.0

tf-mod-byo-ecs-v1.2.0

tf-mod-byo-ecs-v1.3.0

tf-mod-byo-ecs-v1.4.0

tf-mod-byo-ecs-v1.4.1

tf-mod-byo-ecs-v1.5.0

tf-mod-byo-ecs-v1.6.0

tf-mod-byo-ecs-v1.6.1

tf-mod-byo-ecs-v1.7.0

tf-mod-byo-ecs-v1.8.0

tf-mod-byo-ecs-v1.8.1

tf-mod-byo-vpc-v1.*

tf-mod-byo-vpc-v1.0.0

tf-mod-byo-vpc-v1.1.0

tf-mod-byo-vpc-v1.10.0

tf-mod-byo-vpc-v1.10.1

tf-mod-byo-vpc-v1.11.0

tf-mod-byo-vpc-v1.12.0

tf-mod-byo-vpc-v1.12.1

tf-mod-byo-vpc-v1.2.0

tf-mod-byo-vpc-v1.3.0

tf-mod-byo-vpc-v1.4.0

tf-mod-byo-vpc-v1.5.0

tf-mod-byo-vpc-v1.6.0

tf-mod-byo-vpc-v1.6.1

tf-mod-byo-vpc-v1.7.0

tf-mod-byo-vpc-v1.7.1

tf-mod-byo-vpc-v1.8.0

tf-mod-byo-vpc-v1.8.1

tf-mod-byo-vpc-v1.8.2

tf-mod-byo-vpc-v1.8.3

tf-mod-byo-vpc-v1.9.0

tf-mod-root-v1.*

tf-mod-root-v1.0.0

tf-mod-root-v1.1.0

tf-mod-root-v1.1.1

tf-mod-root-v1.10.0

tf-mod-root-v1.11.0

tf-mod-root-v1.11.1

tf-mod-root-v1.2.0

tf-mod-root-v1.3.0

tf-mod-root-v1.4.0

tf-mod-root-v1.5.0

tf-mod-root-v1.5.1

tf-mod-root-v1.6.0

tf-mod-root-v1.6.1

tf-mod-root-v1.7.0

tf-mod-root-v1.7.1

tf-mod-root-v1.7.2

tf-mod-root-v1.7.3

tf-mod-root-v1.8.0

tf-mod-root-v1.9.0

tf-mod-root-v1.9.1

tf-mod-root-v1.9.2

v0.*

v0.0.4

v0.0.5

v0.0.6

v0.0.7

v4.*

v4.0.0

v4.0.0-rc3

v4.0.1

v4.1.0

v4.28.0

v4.36.0

v4.37.0

v4.43.4

v4.81.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-34387.json"