CVE-2026-34385
Published: 27 March 2026
Summary
CVE-2026-34385 is a high-severity SQL Injection (CWE-89) vulnerability in Fleetdm Fleet. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely patching of Fleet to version 4.81.0, which fully addresses the second-order SQL injection in the Apple MDM profile delivery pipeline.
Mandates validation of MDM profile inputs to block SQL injection payloads from compromising the Fleet database.
Facilitates vulnerability scanning to identify SQL injection flaws like CVE-2026-34385 in the MDM profile pipeline for remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing Fleet MDM pipeline directly enables T1190 exploitation for initial access; facilitates DB data access (T1213.006) and retrieval of credentials/API tokens/secrets (T1552).
NVD Description
Fleet is open source device management software. Prior to 4.81.0, a second-order SQL injection vulnerability in Fleet's Apple MDM profile delivery pipeline could allow an attacker with a valid MDM enrollment certificate to exfiltrate or modify the contents of the…
more
Fleet database, including user credentials, API tokens, and device enrollment secrets. Version 4.81.0 patches the issue.
Deeper analysisAI
CVE-2026-34385 is a second-order SQL injection vulnerability (CWE-89) affecting Fleet, an open source device management software, in its Apple MDM profile delivery pipeline. Versions of Fleet prior to 4.81.0 are vulnerable, with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). The flaw enables unauthorized access to the Fleet database through injected SQL payloads delivered via MDM profiles.
An attacker with a valid MDM enrollment certificate, indicating low privileges (PR:L), can exploit this vulnerability remotely over the network without user interaction. Successful exploitation allows the attacker to exfiltrate or modify sensitive data in the Fleet database, such as user credentials, API tokens, and device enrollment secrets, potentially compromising the entire device management infrastructure.
The Fleet security advisory at https://github.com/fleetdm/fleet/security/advisories/GHSA-v895-833r-8c45 confirms that upgrading to version 4.81.0 fully patches the issue by addressing the SQL injection in the MDM profile delivery pipeline. Security practitioners should prioritize updating affected Fleet instances and review access to MDM enrollment certificates.
Details
- CWE(s)