PT-2026-40971 · Fleet · Fleet

Secfox-Ai

·

Published

2026-05-14

·

Updated

2026-06-25

·

CVE-2026-26191

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Fleet versions prior to 4.81.0
Description A flaw in the software installer pipeline allows a crafted software package to execute arbitrary commands as root on macOS and Linux, or as SYSTEM on Windows, when an uninstall is triggered. When packages such as .pkg, .deb, .rpm, .exe, or .msi are uploaded, metadata is extracted from the binary to generate uninstall scripts. This metadata is not properly sanitized, meaning a package with malicious values in its metadata fields can lead to unintended command execution on managed endpoints.
Recommendations Update to version 4.81.0. Avoid uploading software packages from untrusted or unverified sources. Manually inspect and edit auto-generated uninstall scripts before deployment.

Exploit

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-26191
GHSA-9VCR-G537-3W5V
GO-2026-5301

Affected Products

Fleet