Description
Fleet is open source device management software. Prior to 4.81.1, a vulnerability in Fleet's Windows MDM command processing allows a malicious enrolled device to access MDM commands intended for other devices, potentially exposing sensitive configuration data such as WiFi credentials, VPN secrets, and certificate payloads across the entire Windows fleet. Version 4.81.1 patches the issue.
Published: 2026-03-27
Score: 6.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive data disclosure
Action: Patch immediately
AI Analysis

Impact

Fleet, an open‑source device‑management platform, contains a flaw in its Windows MDM command processor that permits a malicious device enrolled in a fleet to read commands meant for other devices. The result is an unauthorized disclosure of sensitive configuration information—including Wi‑Fi credentials, VPN secrets, and certificate payloads—across the entire Windows fleet.

Affected Systems

The issue affects Fleet deployments of any version earlier than 4.81.1, impacting all Windows endpoints managed by Fleet on those installations. The vendor identifies the problem as CWE‑488, Information Exposure After Error.

Risk and Exploitability

The vulnerability is scored 6.6 on CVSS, indicating moderate severity, and has an EPSS score of less than 1 %, suggesting low exploitation probability. It is not listed in CISA’s KEV catalog. Exploitation requires control over an enrolled device, meaning the attack vector is internal; an attacker would need to enroll a device that can query the MDM command service and obtain data for other devices. Because no public exploit is documented, the risk is lower than for publicly exploited flaws, but the potential for hidden data leakage across a fleet remains significant if an attacker gains device foothold.

Generated by OpenCVE AI on April 2, 2026 at 22:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Fleet to version 4.81.1 or later
  • Ensure all Windows fleet devices run the updated Fleet version
  • Review MDM logs for anomalous command requests

Generated by OpenCVE AI on April 2, 2026 at 22:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:fleetdm:fleet:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Fleetdm
Fleetdm fleet
Vendors & Products Fleetdm
Fleetdm fleet

Fri, 27 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
Description Fleet is open source device management software. Prior to 4.81.1, a vulnerability in Fleet's Windows MDM command processing allows a malicious enrolled device to access MDM commands intended for other devices, potentially exposing sensitive configuration data such as WiFi credentials, VPN secrets, and certificate payloads across the entire Windows fleet. Version 4.81.1 patches the issue.
Title Fleet Vulnerable to Windows MDM cross-device command disclosure
Weaknesses CWE-488
References
Metrics cvssV4_0

{'score': 6.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Fleetdm Fleet
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T19:54:54.644Z

Reserved: 2026-03-27T13:45:29.619Z

Link: CVE-2026-34391

cve-icon Vulnrichment

Updated: 2026-03-27T19:54:50.926Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T20:16:36.113

Modified: 2026-04-02T19:42:08.183

Link: CVE-2026-34391

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:38:34Z

Weaknesses