CVE-2026-26191: Fleet vulnerable to OS command injection in software packages

May 14, 2026

A vulnerability in Fleet’s software installer pipeline could allow a crafted software package to execute arbitrary commands as root (macOS/Linux) or SYSTEM (Windows) on managed endpoints when an uninstall is triggered.

References

github.com/advisories/GHSA-9vcr-g537-3w5v
github.com/fleetdm/fleet/releases/tag/fleet-v4.81.1
github.com/fleetdm/fleet/security/advisories/GHSA-9vcr-g537-3w5v
nvd.nist.gov/vuln/detail/CVE-2026-26191

Code Behaviors & Features

Detect and mitigate CVE-2026-26191 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →