Description
Fleet is open source device management software. Prior to 4.81.0, a second-order SQL injection vulnerability in Fleet's Apple MDM profile delivery pipeline could allow an attacker with a valid MDM enrollment certificate to exfiltrate or modify the contents of the Fleet database, including user credentials, API tokens, and device enrollment secrets. Version 4.81.0 patches the issue.
Published: 2026-03-27
Score: 6.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Database Compromise
Action: Patch Immediately
AI Analysis

Impact

The vulnerability is a second‑order SQL injection in Fleet’s Apple MDM profile delivery pipeline. When an attacker submits a specially crafted request using a valid MDM enrollment certificate, the payload is later interpreted as part of an SQL statement. This flaw can be used to exfiltrate or alter data stored in the Fleet database, specifically user credentials, API tokens, and device enrollment secrets.

Affected Systems

Fleet, the open‑source device management platform from fleetdm, is affected in all releases prior to version 4.81.0. The vulnerability exists in the Apple MDM profile delivery component and is addressed by the 4.81.0 release. No other products or components are listed.

Risk and Exploitability

The CVSS score of 6.2 indicates medium severity, while the EPSS score is below 1 % and the issue is not listed in the CISA KEV catalog, suggesting a low likelihood of current exploitation. Exploitation requires possession of a valid MDM enrollment certificate, meaning an attacker must first gain or compromise such a certificate. Once the SQL injection is triggered, the attacker can read or modify the database contents that the description mentions. No evidence of broader lateral movement or additional privileges is claimed by the CVE data.

Generated by OpenCVE AI on April 8, 2026 at 00:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Fleet to version 4.81.0 or later, which contains the patch.
  • If an upgrade is not yet possible, limit the issuance and validity of MDM enrollment certificates, revoke any that appear compromised, and enforce strict access controls on certificate creation.
  • Continuously monitor database queries and application logs for anomalous activity that may indicate exploitation attempts.

Generated by OpenCVE AI on April 8, 2026 at 00:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v895-833r-8c45 Fleet's Apple MDM profile delivery has second-order SQL Injection that can compromise the database
History

Tue, 07 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:fleetdm:fleet:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Tue, 31 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Fleetdm
Fleetdm fleet
Vendors & Products Fleetdm
Fleetdm fleet

Fri, 27 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
Description Fleet is open source device management software. Prior to 4.81.0, a second-order SQL injection vulnerability in Fleet's Apple MDM profile delivery pipeline could allow an attacker with a valid MDM enrollment certificate to exfiltrate or modify the contents of the Fleet database, including user credentials, API tokens, and device enrollment secrets. Version 4.81.0 patches the issue.
Title Fleet's Apple MDM profile delivery has second-order SQL injection that can compromise the database
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 6.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Fleetdm Fleet
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T18:54:35.661Z

Reserved: 2026-03-27T13:45:29.619Z

Link: CVE-2026-34385

cve-icon Vulnrichment

Updated: 2026-03-31T18:51:21.617Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T19:16:43.270

Modified: 2026-04-07T21:15:47.103

Link: CVE-2026-34385

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T20:01:09Z

Weaknesses