CVE-2026-34385
Second-Order SQL Injection in Fleet MDM Risks Data Exposure
Publication date: 2026-03-27
Last updated on: 2026-04-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fleetdm | fleet | to 4.81.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34385 is a critical second-order SQL injection vulnerability in Fleet's Apple MDM profile delivery pipeline affecting versions prior to 4.81.0.
The vulnerability occurs because although the UDID sent during the MDM Authenticate check-in is initially stored safely using parameterized queries, it is later directly interpolated into SQL statements by an asynchronous worker processing the job.
This improper handling enables blind, boolean-based, and UNION-based SQL injection attacks across four simultaneous subqueries, and because Fleetβs database driver is configured with multiStatements=true, it permits stacked queries that allow arbitrary database writes.
An attacker with a valid MDM enrollment certificate can exploit this flaw to exfiltrate or modify the Fleet database, including sensitive data such as user credentials, API tokens, and device enrollment secrets.
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to serious impacts including:
- Exfiltration or modification of the Fleet database contents, including user credentials, API tokens, and device enrollment secrets.
- Creation of new admin accounts within the Fleet system.
- Altering configurations and deploying malicious profiles or scripts to managed devices.
- Deletion of data from the Fleet database.
The vulnerability requires a valid SCEP-issued enrollment certificate but can be exploited by any enrolled device, including attacker-controlled ones.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if your Fleet instance is running a version prior to 4.81.0 and if Apple MDM is enabled. Since the vulnerability exploits the Apple MDM profile delivery pipeline via SQL injection, monitoring for unusual database queries or unexpected modifications in the Fleet database could indicate exploitation attempts.
Specifically, detection could focus on observing asynchronous worker jobs that process MDM Authenticate check-ins, looking for SQL statements that interpolate the UDID directly rather than using parameterized queries.
However, no explicit commands or detection scripts are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The primary and recommended mitigation is to upgrade Fleet to version 4.81.0 or later, where the vulnerability is patched.
If immediate upgrading is not feasible, a temporary mitigation is to disable Apple MDM functionality in your Fleet instance, as instances without Apple MDM enabled are not affected by this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to exfiltrate or modify sensitive data stored in the Fleet database, including user credentials, API tokens, and device enrollment secrets.
Such unauthorized access and potential data breach could lead to non-compliance with data protection regulations and standards like GDPR and HIPAA, which require the protection of personal and sensitive information against unauthorized access and disclosure.
Therefore, exploitation of this vulnerability could result in violations of these regulations due to compromised confidentiality and integrity of protected data.