Description
Fleet is open source device management software. Prior to 4.81.0, a SQL injection vulnerability in Fleet's MDM bootstrap package configuration allows an authenticated user with Team Admin or Global Admin privileges to modify arbitrary team configurations, exfiltrate sensitive data from the Fleet database, and inject arbitrary content into team configs via direct API calls. Version 4.81.0 patches the issue.
Published: 2026-03-27
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Confidentiality and Integrity breach via SQL injection
Action: Immediate Patch
AI Analysis

Impact

A classic parameter manipulation flaw in the MDM bootstrap configuration exposed by the Fleet open‑source device management platform allows authenticated users with Team Admin or Global Admin rights to perform SQL injection attacks. An attacker can read or modify arbitrary database records, exfiltrate sensitive data, and inject invalid or malicious configuration entries into team settings. This directly compromises data confidentiality and integrity, enabling unauthorized configuration changes that could affect device management policies.

Affected Systems

The vulnerability exists in all Fleet releases prior to version 4.81.0. Users operating fleetdm:Fleet on any platform before the 4.81.0 patch are exposed. Version 4.81.0 implements the fix and should be deployed to all affected installations.

Risk and Exploitability

The CVSS score of 6.3 indicates a medium severity assessment, while an EPSS score of less than 1% shows a low predicted probability of exploitation in the near term. The vulnerability is not listed in the CISA KEV catalog, suggesting no known public exploitation. However, the attack vector requires legitimate high‑privilege credentials; once in possession of Team or Global Admin rights, the SQL injection can be executed through normal API calls without additional discovery steps.

Generated by OpenCVE AI on April 2, 2026 at 22:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Fleet to version 4.81.0 or later to apply the vendor patch.
  • Restrict Team Admin and Global Admin privileges to a minimal set of trusted administrators.
  • Limit or disable API endpoints that allow direct modification of team configuration files until the upgrade is complete.
  • Monitor database logs for unusual SELECT or UPDATE statements that could indicate exploitation attempts.

Generated by OpenCVE AI on April 2, 2026 at 22:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9p23-p2m4-2r4m Fleet vulnerable to SQL Injection in MDM bootstrap package by authenticated team or global admin
History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:fleetdm:fleet:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Tue, 31 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Fleetdm
Fleetdm fleet
Vendors & Products Fleetdm
Fleetdm fleet

Fri, 27 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
Description Fleet is open source device management software. Prior to 4.81.0, a SQL injection vulnerability in Fleet's MDM bootstrap package configuration allows an authenticated user with Team Admin or Global Admin privileges to modify arbitrary team configurations, exfiltrate sensitive data from the Fleet database, and inject arbitrary content into team configs via direct API calls. Version 4.81.0 patches the issue.
Title Fleet vulnerable to SQL injection in MDM bootstrap package by authenticated team or global admin
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Fleetdm Fleet
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-30T19:02:07.123Z

Reserved: 2026-03-27T13:45:29.619Z

Link: CVE-2026-34386

cve-icon Vulnrichment

Updated: 2026-03-30T19:02:03.043Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T19:16:43.427

Modified: 2026-04-02T17:04:41.347

Link: CVE-2026-34386

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:38:37Z

Weaknesses