CVE-2026-34386
Published: 27 March 2026
Summary
CVE-2026-34386 is a high-severity SQL Injection (CWE-89) vulnerability in Fleetdm Fleet. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring timely flaw remediation through upgrade to Fleet 4.81.0 or later.
Prevents SQL injection exploitation by validating and sanitizing API inputs to the MDM bootstrap package configuration endpoint.
Reduces attack surface by enforcing least privilege on Team Admin and Global Admin roles required for authenticated exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in Fleet's public API directly enables T1190 exploitation and facilitates database exfiltration (T1213.006) plus stored config data manipulation (T1565.001) by authenticated admins.
NVD Description
Fleet is open source device management software. Prior to 4.81.0, a SQL injection vulnerability in Fleet's MDM bootstrap package configuration allows an authenticated user with Team Admin or Global Admin privileges to modify arbitrary team configurations, exfiltrate sensitive data from…
more
the Fleet database, and inject arbitrary content into team configs via direct API calls. Version 4.81.0 patches the issue.
Deeper analysisAI
CVE-2026-34386 is a SQL injection vulnerability (CWE-89) in the MDM bootstrap package configuration of Fleet, an open source device management software. The issue affects versions of Fleet prior to 4.81.0 and has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). It was published on 2026-03-27.
An authenticated attacker with Team Admin or Global Admin privileges can exploit this vulnerability through direct API calls. Successful exploitation allows the attacker to modify arbitrary team configurations, exfiltrate sensitive data from the Fleet database, and inject arbitrary content into team configurations.
The Fleet security advisory at https://github.com/fleetdm/fleet/security/advisories/GHSA-9p23-p2m4-2r4m confirms that version 4.81.0 patches the vulnerability, and users should upgrade to this version or later to mitigate the issue.
Details
- CWE(s)