CVE-2026-34386

moderate-risk
Published 2026-03-27

Fleet is open source device management software. Prior to 4.81.0, a SQL injection vulnerability in Fleet's MDM bootstrap package configuration allows an authenticated user with Team Admin or Global Admin privileges to modify arbitrary team configurations, exfiltrate sensitive data from the Fleet database, and inject arbitrary content into team configs via direct API calls. Version 4.81.0 patches the issue.

Do I need to act?

-
0.03% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.8/10 High
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Fleetdm

References (1)

Vendor Advisory https://github.com/fleetdm/fleet/security/advisories/GHSA-9p23-p2m4-2r4m
35
/ 100
moderate-risk
Severity 30/34 · Critical
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal