CVE-2026-34386
SQL Injection in Fleet MDM Allows Data Exfiltration
Publication date: 2026-03-27
Last updated on: 2026-04-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fleetdm | fleet | to 4.81.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34386 is a high-severity SQL injection vulnerability in the MDM bootstrap package of Fleet, an open source device management software. It affects versions prior to 4.81.0. The vulnerability allows an authenticated user with Team Admin or Global Admin privileges to exploit insufficient server-side input validation during MDM bootstrap package configuration.
By crafting malicious input in direct API calls, an attacker can manipulate SQL queries to modify arbitrary team configurations, exfiltrate sensitive data from the Fleet databaseβincluding password hashes and API tokensβand inject arbitrary content into team configurations.
Exploitation requires both authentication with elevated admin roles and that Apple MDM is enabled; instances without Apple MDM enabled are not affected.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized modification of team configurations, which could disrupt device management operations.
Attackers can exfiltrate sensitive data from the Fleet database such as password hashes and API tokens, potentially leading to further compromise of the system or connected resources.
Injection of arbitrary content into team configurations could also lead to unexpected behavior or security issues within the managed environment.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves SQL injection via direct API calls by authenticated users with Team Admin or Global Admin privileges during MDM bootstrap package configuration.
Detection would involve monitoring API calls for suspicious or malformed input targeting the MDM bootstrap package configuration endpoints, especially from users with elevated admin roles.
Since the vulnerability requires authentication and specific roles, reviewing logs for unusual configuration changes or unexpected data exfiltration attempts by Team Admin or Global Admin users could help identify exploitation.
No specific commands or detection scripts are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Upgrade Fleet to version 4.81.0 or later, which contains the patch for this vulnerability.
- Temporarily disable Apple MDM if possible, as the vulnerability only affects instances with Apple MDM enabled.
- Restrict or limit Team Admin and Global Admin roles to trusted users until the patched version is deployed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The SQL injection vulnerability in Fleet allows authenticated users with elevated admin privileges to exfiltrate sensitive data from the Fleet database, including password hashes and API tokens. This unauthorized access and potential data leakage could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding sensitive personal and health information against unauthorized access and breaches.
Therefore, exploitation of this vulnerability may result in violations of confidentiality and data protection requirements mandated by these standards, potentially leading to legal and regulatory consequences for affected organizations.