High severity8.1NVD Advisory· Published Mar 27, 2026· Updated Apr 7, 2026
CVE-2026-34385
CVE-2026-34385
Description
Fleet is open source device management software. Prior to 4.81.0, a second-order SQL injection vulnerability in Fleet's Apple MDM profile delivery pipeline could allow an attacker with a valid MDM enrollment certificate to exfiltrate or modify the contents of the Fleet database, including user credentials, API tokens, and device enrollment secrets. Version 4.81.0 patches the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/fleetdm/fleet/v4Go | < 4.81.0 | 4.81.0 |
Affected products
3- ghsa-coords2 versionspkg:golang/github.com/fleetdm/fleet/v4pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
< 4.81.0+ 1 more
- (no CPE)range: < 4.81.0
- (no CPE)range: < 0.0.20260402T184258-150000.1.158.1
Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-v895-833r-8c45ghsaADVISORY
- github.com/fleetdm/fleet/security/advisories/GHSA-v895-833r-8c45nvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-34385ghsaADVISORY
News mentions
0No linked articles in our index yet.