CVE-2026-34388
Published: 27 March 2026
Summary
CVE-2026-34388 is a high-severity Improper Check or Handling of Exceptional Conditions (CWE-703) vulnerability in Fleetdm Fleet. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 18.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-11 directly addresses the improper handling of exceptional conditions by requiring the system to manage errors like unexpected log type values without compromising availability or crashing the server.
SI-10 mandates validation of information inputs to the gRPC Launcher endpoint, preventing crashes from malformed or unexpected log type values.
SC-5 implements denial-of-service protections to limit the effects of crafted requests exploiting the gRPC endpoint's vulnerability, maintaining server availability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables direct application DoS via crafted gRPC input triggering process crash (T1499.004 Application or System Exploitation).
NVD Description
Fleet is open source device management software. Prior to 4.81.0, a denial-of-service vulnerability in Fleet's gRPC Launcher endpoint allows an authenticated host to crash the entire Fleet server process by sending an unexpected log type value. The server terminates immediately,…
more
disrupting all connected hosts, MDM enrollments, and API consumers. Version 4.81.0 patches the issue.
Deeper analysisAI
CVE-2026-34388 is a denial-of-service vulnerability in Fleet, an open source device management software. The issue affects versions prior to 4.81.0 and resides in Fleet's gRPC Launcher endpoint, where the server fails to handle an unexpected log type value properly, leading to an immediate process termination. This flaw is classified under CWE-703 (Improper Check or Handling of Exceptional Conditions) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting its high availability impact with network accessibility and low complexity.
An authenticated host enrolled in Fleet can exploit this vulnerability by sending a specially crafted unexpected log type value via the gRPC Launcher endpoint. Successful exploitation crashes the entire Fleet server process without warning, resulting in widespread disruption: all connected hosts lose management capabilities, MDM enrollments fail, and API consumers are blocked from operations until the server restarts. Attackers require only valid host authentication, typically granted during normal device enrollment.
The Fleet security advisory at https://github.com/fleetdm/fleet/security/advisories/GHSA-w254-4hp5-7cvv details the patch in version 4.81.0, which addresses the improper handling in the gRPC endpoint. Security practitioners should upgrade to 4.81.0 or later and monitor for anomalous gRPC traffic from enrolled hosts to mitigate exposure.
Details
- CWE(s)