CVE-2026-34386

Received Received - Intake

SQL Injection in Fleet MDM Allows Data Exfiltration

Publication date: 2026-03-27

Last updated on: 2026-04-02

Assigner: GitHub, Inc.

Description

Fleet is open source device management software. Prior to 4.81.0, a SQL injection vulnerability in Fleet's MDM bootstrap package configuration allows an authenticated user with Team Admin or Global Admin privileges to modify arbitrary team configurations, exfiltrate sensitive data from the Fleet database, and inject arbitrary content into team configs via direct API calls. Version 4.81.0 patches the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-03-27

Last Modified

2026-04-02

Generated

2026-06-16

AI Q&A

2026-03-27

EPSS Evaluated

2026-06-14

NVD

CVE-2026-34386

EUVD

EUVD-2026-16756

Affected Vendors & Products

Vendor	Product	Version / Range
fleetdm	fleet	to 4.81.0 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

CVE-2026-34386 is a high-severity SQL injection vulnerability in the MDM bootstrap package of Fleet, an open source device management software. It affects versions prior to 4.81.0. The vulnerability allows an authenticated user with Team Admin or Global Admin privileges to exploit insufficient server-side input validation during MDM bootstrap package configuration.

By crafting malicious input in direct API calls, an attacker can manipulate SQL queries to modify arbitrary team configurations, exfiltrate sensitive data from the Fleet database—including password hashes and API tokens—and inject arbitrary content into team configurations.

Exploitation requires both authentication with elevated admin roles and that Apple MDM is enabled; instances without Apple MDM enabled are not affected.

Impact Analysis

This vulnerability can have serious impacts including unauthorized modification of team configurations, which could disrupt device management operations.

Attackers can exfiltrate sensitive data from the Fleet database such as password hashes and API tokens, potentially leading to further compromise of the system or connected resources.

Injection of arbitrary content into team configurations could also lead to unexpected behavior or security issues within the managed environment.

Detection Guidance

This vulnerability involves SQL injection via direct API calls by authenticated users with Team Admin or Global Admin privileges during MDM bootstrap package configuration.

Detection would involve monitoring API calls for suspicious or malformed input targeting the MDM bootstrap package configuration endpoints, especially from users with elevated admin roles.

Since the vulnerability requires authentication and specific roles, reviewing logs for unusual configuration changes or unexpected data exfiltration attempts by Team Admin or Global Admin users could help identify exploitation.

No specific commands or detection scripts are provided in the available resources.

Mitigation Strategies

Immediate mitigation steps include:

Upgrade Fleet to version 4.81.0 or later, which contains the patch for this vulnerability.
Temporarily disable Apple MDM if possible, as the vulnerability only affects instances with Apple MDM enabled.
Restrict or limit Team Admin and Global Admin roles to trusted users until the patched version is deployed.

Compliance Impact

The SQL injection vulnerability in Fleet allows authenticated users with elevated admin privileges to exfiltrate sensitive data from the Fleet database, including password hashes and API tokens. This unauthorized access and potential data leakage could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding sensitive personal and health information against unauthorized access and breaches.

Therefore, exploitation of this vulnerability may result in violations of confidentiality and data protection requirements mandated by these standards, potentially leading to legal and regulatory consequences for affected organizations.

Hi! I’m here to help you understand CVE-2026-34386. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-34386

SQL Injection in Fleet MDM Allows Data Exfiltration

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart