PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-26191 Fleetdm CVE debrief

CVE-2026-26191 is a Fleet device-management vulnerability in the software installer pipeline. If a crafted software package is uploaded and later uninstalled, unsanitized metadata from that package can be inserted into auto-generated uninstall scripts. When those scripts run on managed endpoints, an attacker could trigger unintended command execution with elevated privileges: root on macOS/Linux or SYSTEM on Windows. NVD marks versions prior to 4.81.0 as vulnerable, and the vendor references a fixed release and advisory for remediation.

Vendor
Fleetdm
Product
Fleet
CVSS
MEDIUM 6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-14
Original CVE updated
2026-05-18
Advisory published
2026-05-14
Advisory updated
2026-05-18

Who should care

Fleet administrators, endpoint management teams, and security teams responsible for software-package onboarding and uninstall automation should treat this as important, especially if they upload third-party or unverified packages into Fleet.

Technical summary

The issue is a command-injection weakness in Fleet’s uninstall-script generation flow. Package metadata is extracted from uploaded .pkg, .deb, .rpm, .exe, or .msi binaries and used to build uninstall scripts. In affected versions, that metadata is not properly sanitized before being embedded into the generated script. A maliciously crafted package can therefore influence the script contents, and the resulting uninstall action on managed endpoints may execute attacker-controlled commands. The published weakness is mapped to CWE-78 and NVD lists a CVSS 4.0 vector with network access, low attack complexity, and user interaction required, with high integrity impact.

Defensive priority

High for environments that ingest untrusted software packages into Fleet or rely on auto-generated uninstall scripts. The impact is privileged command execution on managed endpoints, so remediation should be prioritized even though the CVSS base score is medium.

Recommended defensive actions

  • Upgrade Fleet to a fixed release as directed by the vendor advisory and release notes; the CVE record identifies versions before 4.81.0 as vulnerable.
  • Avoid uploading software packages from untrusted or unverified sources until patched.
  • Review existing uploaded packages for provenance and remove any that cannot be trusted.
  • Manually inspect and edit auto-generated uninstall scripts before deploying them to endpoints.
  • Monitor for suspicious command execution during uninstall operations, especially on macOS/Linux and Windows endpoints managed by Fleet.

Evidence notes

Evidence comes from the NVD record and the linked GitHub security advisory/release notes. NVD describes the vulnerable surface as Fleet’s software installer pipeline and states that package metadata from .pkg, .deb, .rpm, .exe, and .msi uploads is used to generate uninstall scripts. The weakness is that this metadata is not properly sanitized before being included in those scripts. The CVE record maps the issue to CWE-78 and lists a CVSS 4.0 vector indicating network access, low complexity, and required user interaction with high integrity impact. The vendor references a security advisory and Fleet release notes for remediation.

Official resources

CVE published at 2026-05-14T20:17:02.173Z and last modified at 2026-05-18T14:05:02.597Z. The source corpus identifies the issue as publicly disclosed through the official CVE/NVD record and linked vendor materials.