What is GHSA-9vcr-g537-3w5v?

GHSA-9vcr-g537-3w5v is a security advisory published by GitHub Security Advisories with Medium severity. Fleet vulnerable to OS command injection in software packages

Which CVE IDs does GHSA-9vcr-g537-3w5v cover?

GHSA-9vcr-g537-3w5v covers the following CVE IDs: CVE-2026-26191. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

Which products are affected by GHSA-9vcr-g537-3w5v?

GHSA-9vcr-g537-3w5v affects 1 product, including: go/github.com/fleetdm/fleet/v4:\u003c 4.81.1.

GHSA-9vcr-g537-3w5vMedium

Fleet vulnerable to OS command injection in software packages

Vendor

GitHub Security Advisories

Published

May 14, 2026

Last Modified

May 15, 2026

🔗 CVE IDs covered (1)

CVE-2026-26191 →

📋 Description

Summary

A vulnerability in Fleet's software installer pipeline could allow a crafted software package to execute arbitrary commands as root (macOS/Linux) or SYSTEM (Windows) on managed endpoints when an uninstall is triggered.

Impact

When a software package (.pkg, .deb, .rpm, .exe, or .msi) is uploaded to Fleet, metadata is extracted from the package binary and used to generate uninstall scripts. In affected versions, this metadata is not properly sanitized before being included in the generated scripts. A specially crafted package containing malicious values in its metadata fields could result in unintended command execution when the uninstall script runs on managed endpoints.

Workarounds

If an immediate upgrade is not possible, administrators should avoid uploading software packages obtained from untrusted or unverified sources. Additionally, administrators can manually inspect and edit auto-generated uninstall scripts before deployment.

For more information

If you have any questions or comments about this advisory:

Email us at [security@fleetdm.com](mailto:security@fleetdm.com)

Join #fleet in [osquery Slack](https://join.slack.com/t/osquery/shared_invite/zt-h29zm0gk-s2DBtGUTW4CFel0f0IjTEw)