Fleet MDM Vulnerability: SQL Injection Threatens Sensitive Data
CVE Notify is flagging a critical second-order SQL injection vulnerability (CVE-2026-34385) impacting Fleet, the open-source device management software. They report that prior to version 4.81.0, an attacker possessing a valid MDM enrollment certificate could exploit this flaw. The vulnerability resides within Fleet’s Apple MDM profile delivery pipeline. Exploitation could lead to the exfiltration or modification of the Fleet database contents, a serious risk given the sensitive information it likely stores.
According to CVE Notify, the compromised data could include user credentials, API tokens, and crucial device enrollment secrets. This means a successful attack could grant an adversary deep access into an organization’s device management infrastructure, potentially enabling further lateral movement and compromise. Fleet has since patched this vulnerability in version 4.81.0, making an immediate upgrade a top priority for all users.
What This Means For You
- Organizations using Fleet should immediately verify their current version and upgrade to 4.81.0 or later to mitigate the risk of CVE-2026-34385. For those unable to upgrade immediately, review and rotate any exposed credentials or API tokens that may have been previously accessible through the MDM pipeline.
Related ATT&CK Techniques
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-34385 | SQLi | Fleet < 4.81.0, Apple MDM profile delivery pipeline, second-order SQL injection |
| CVE-2026-34385 | Information Disclosure | Fleet < 4.81.0, Apple MDM profile delivery pipeline, exfiltrate database contents (user credentials, API tokens, device enrollment secrets) |
| CVE-2026-34385 | Code Injection | Fleet < 4.81.0, Apple MDM profile delivery pipeline, modify database contents (user credentials, API tokens, device enrollment secrets) |
🛠 Recommended Tools
Found this interesting? Follow us to stay ahead.