CVE-2026-26191
CriticalSummary
In Fleet software, prior to version 4.81.0, a vulnerability in the installation process could allow arbitrary commands to be executed as root (macOS/Linux) or SYSTEM (Windows) on managed endpoints when an uninstall is triggered. A specially crafted software package could lead to unintended command execution.
Risk Assessment
Organizations may face serious security risks, including unauthorized access to systems and data, potentially leading to loss of confidentiality and integrity of information.
Recommendation
It is recommended to immediately upgrade to version 4.81.0 or higher. If an upgrade is not possible, administrators should avoid uploading software packages from unverified sources and manually inspect and edit auto-generated uninstall scripts.
Original NVD description (English source)
Fleet is open source device management software. Prior to version 4.81.0, a vulnerability in Fleet's software installer pipeline could allow a crafted software package to execute arbitrary commands as root (macOS/Linux) or SYSTEM (Windows) on managed endpoints when an uninstall is triggered. When a software package (.pkg, .deb, .rpm, .exe, or .msi) is uploaded to Fleet, metadata is extracted from the package binary and used to generate uninstall scripts. In affected versions, this metadata is not properly sanitized before being included in the generated scripts. A specially crafted package containing malicious values in its metadata fields could result in unintended command execution when the uninstall script runs on managed endpoints. Version 4.81.0 contains a patch. If an immediate upgrade is not possible, administrators should avoid uploading software packages obtained from untrusted or unverified sources. Additionally, administrators can manually inspect and edit auto-generated uni

