Skip to main content

Apple EUVDEUVD-2026-16758

| CVE-2026-34387 MEDIUM
OS Command Injection (CWE-78)
2026-03-27 GitHub_M
5.7
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.7 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
A
Scope
X

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
4.81.1
EUVD ID Assigned
Mar 27, 2026 - 19:00 euvd
EUVD-2026-16758
Analysis Generated
Mar 27, 2026 - 19:00 vuln.today
CVE Published
Mar 27, 2026 - 18:31 nvd
MEDIUM 5.7

DescriptionGitHub Advisory

Fleet is open source device management software. Prior to 4.81.1, a command injection vulnerability in Fleet's software installer pipeline allows an attacker to achieve arbitrary code execution as root (macOS/Linux) or SYSTEM (Windows) on managed hosts when an uninstall is triggered for a crafted software package. Version 4.81.1 patches the issue.

AnalysisAI

Fleet device management software versions prior to 4.81.1 are vulnerable to command injection in the software installer pipeline, enabling remote attackers with high privileges to achieve arbitrary code execution as root on macOS/Linux or SYSTEM on Windows when triggering uninstall operations on crafted software packages. The vulnerability requires high privileges and user interaction but delivers complete system compromise on affected managed hosts. No public exploit code or active exploitation has been identified at time of analysis.

Technical ContextAI

The vulnerability exists in Fleet's software installer pipeline (cpe:2.3:a:fleetdm:fleet:*:*:*:*:*:*:*:*) and is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command, also known as OS Command Injection). The flaw allows unsanitized input from crafted software package definitions to be passed to OS-level command execution without proper escaping or validation, permitting shell metacharacters to break out of intended command boundaries. This occurs specifically during the uninstall workflow, where package metadata or parameters are incorporated into system commands executed with elevated privileges (root/SYSTEM). The cross-platform nature (macOS, Linux, Windows) indicates the vulnerability affects the core package handling logic shared across multiple operating system implementations.

RemediationAI

Immediately upgrade Fleet to version 4.81.1 or later, which patches the command injection vulnerability in the software installer pipeline. This patch must be applied to all Fleet server instances managing endpoints. Until patching is completed, restrict administrative access to the Fleet management console to only trusted personnel who absolutely require it, enforce multi-factor authentication on all admin accounts, and disable or restrict the software uninstall workflow where operationally feasible. Additionally, audit logs should be reviewed for any suspicious software package creation or uninstall operations conducted prior to patching. See the vendor security advisory at https://github.com/fleetdm/fleet/security/advisories/GHSA-7rhw-5mpv-gp4h for deployment guidance and changelog details.

Share

EUVD-2026-16758 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy