CVE-2026-34391
Published: 27 March 2026
Summary
CVE-2026-34391 is a high-severity Exposure of Data Element to Wrong Session (CWE-488) vulnerability in Fleetdm Fleet. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unsecured Credentials (T1552); ranked at the 7.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for access to MDM commands, directly preventing a malicious enrolled device from accessing commands intended for other devices and exposing sensitive configuration data.
Requires timely identification, reporting, and remediation of flaws like the Windows MDM command processing vulnerability, mitigated by upgrading Fleet to version 4.81.1.
Enforces information flow control policies to restrict the flow of device-specific MDM commands and sensitive data like WiFi credentials and VPN secrets to authorized devices only.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables unauthorized cross-device access to MDM commands, directly exposing WiFi/VPN credentials, secrets, and certificate payloads stored in the configuration repository.
NVD Description
Fleet is open source device management software. Prior to 4.81.1, a vulnerability in Fleet's Windows MDM command processing allows a malicious enrolled device to access MDM commands intended for other devices, potentially exposing sensitive configuration data such as WiFi credentials,…
more
VPN secrets, and certificate payloads across the entire Windows fleet. Version 4.81.1 patches the issue.
Deeper analysisAI
CVE-2026-34391 affects Fleet, an open source device management software. In versions prior to 4.81.1, a vulnerability in Fleet's Windows MDM command processing enables a malicious enrolled device to access MDM commands intended for other devices. This exposure can reveal sensitive configuration data, such as WiFi credentials, VPN secrets, and certificate payloads, across the entire Windows fleet. The issue carries a CVSS score of 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and maps to CWE-488.
An attacker with a malicious device enrolled in the Fleet-managed Windows environment can exploit this vulnerability over the network with low complexity and no privileges or user interaction required. Successful exploitation allows the attacker to retrieve MDM commands targeted at other devices, resulting in high-impact unauthorized access to confidential configuration data fleet-wide.
Fleet's security advisory at https://github.com/fleetdm/fleet/security/advisories/GHSA-wg7j-pcc3-h4rh documents the vulnerability. Upgrading to version 4.81.1 patches the issue in the Windows MDM command processing.
Details
- CWE(s)