Description
Fleet is open source device management software. Prior to 4.81.0, a SQL injection vulnerability in Fleet's MDM bootstrap package configuration allows an authenticated user with Team Admin or Global Admin privileges to modify arbitrary team configurations, exfiltrate sensitive data from the Fleet database, and inject arbitrary content into team configs via direct API calls. Version 4.81.0 patches the issue.
Published: 2026-03-27
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: Unauthorized data exfiltration and configuration modification
Action: Patch Immediately
AI Analysis

Impact

The vulnerability is a SQL injection flaw located in Fleet's MDM bootstrap package configuration. An authenticated user with Team Admin or Global Admin privileges can submit crafted API requests that include malicious SQL statements, allowing the attacker to execute arbitrary SQL against the Fleet database. This can result in unauthorized extraction of sensitive data, modification of team configurations, and insertion of arbitrary content via the API, potentially compromising the integrity of the fleet management environment.

Affected Systems

The affected product is Fleet, the open‑source device‑management platform from FleetDM. Versions released prior to 4.81.0 are vulnerable. The patch was applied in release 4.81.0, which removes the injection point. All installations using older versions should be considered at risk until updated.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity, and no EPSS data is available. The vulnerability is not listed in the CISA KEV catalog. The attack vector requires the attacker to have authenticated access with Team Admin or Global Admin privileges, suggesting an insider or compromised account. Once authenticated, the attacker can send specially crafted API requests, exploiting the injection point in the MDM bootstrap package to execute arbitrary SQL against the database.

Generated by OpenCVE AI on March 27, 2026 at 19:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Fleet update (version 4.81.0 or newer) to remove the SQL injection vulnerability. If an update cannot be applied immediately, restrict Team Admin and Global Admin privileges to trusted users only, and monitor API activity for suspicious SQL patterns.

Generated by OpenCVE AI on March 27, 2026 at 19:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
Description Fleet is open source device management software. Prior to 4.81.0, a SQL injection vulnerability in Fleet's MDM bootstrap package configuration allows an authenticated user with Team Admin or Global Admin privileges to modify arbitrary team configurations, exfiltrate sensitive data from the Fleet database, and inject arbitrary content into team configs via direct API calls. Version 4.81.0 patches the issue.
Title Fleet vulnerable to SQL injection in MDM bootstrap package by authenticated team or global admin
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T18:30:10.512Z

Reserved: 2026-03-27T13:45:29.619Z

Link: CVE-2026-34386

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-27T19:16:43.427

Modified: 2026-03-27T19:16:43.427

Link: CVE-2026-34386

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T20:27:41Z

Weaknesses