CVE-2026-34388
Received Received - Intake
Denial-of-Service in Fleet gRPC Launcher Crashes Server

Publication date: 2026-03-27

Last updated on: 2026-04-02

Assigner: GitHub, Inc.

Description
Fleet is open source device management software. Prior to 4.81.0, a denial-of-service vulnerability in Fleet's gRPC Launcher endpoint allows an authenticated host to crash the entire Fleet server process by sending an unexpected log type value. The server terminates immediately, disrupting all connected hosts, MDM enrollments, and API consumers. Version 4.81.0 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-27
Last Modified
2026-04-02
Generated
2026-06-16
AI Q&A
2026-03-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34388
EUVD
EUVD-2026-16795
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
fleetdm fleet to 4.81.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-703 The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Mitigation Strategies

The only effective mitigation for this vulnerability is to upgrade the Fleet software to version 4.81.0 or later.

No other workarounds or mitigations exist, so applying the patch promptly is critical to prevent denial-of-service attacks.

Executive Summary

CVE-2026-34388 is a high-severity denial-of-service vulnerability in Fleet's gRPC Launcher endpoint affecting versions prior to 4.81.0.

An authenticated host with a valid Launcher node key can exploit this vulnerability by sending a specially crafted gRPC request containing an unexpected log type value.

This malformed input is not properly handled by the gRPC server, causing the entire Fleet server process to crash immediately and unrecoverably.

Impact Analysis

Exploiting this vulnerability causes the Fleet server to terminate immediately, disrupting all connected hosts, Mobile Device Management (MDM) enrollments, and API consumers.

Because the server crashes instead of handling the invalid request gracefully, attackers can repeatedly trigger this crash, resulting in a persistent denial of service.

Detection Guidance

This vulnerability involves an authenticated host sending a specially crafted gRPC request with an unexpected log type value to the Fleet gRPC Launcher endpoint, causing the server to crash.

Detection would involve monitoring for unexpected crashes or terminations of the Fleet server process, especially following gRPC Launcher endpoint activity.

Since the vulnerability requires an authenticated host with a valid Launcher node key to send malformed gRPC requests, network detection could focus on identifying unusual or malformed gRPC traffic to the Launcher endpoint.

However, no specific commands or detection tools are provided in the available information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34388. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart