CVE-2026-34385

Fleet's Apple MDM profile delivery has second-order SQL injection that can compromise the database

Description

Fleet is open source device management software. Prior to 4.81.0, a second-order SQL injection vulnerability in Fleet's Apple MDM profile delivery pipeline could allow an attacker with a valid MDM enrollment certificate to exfiltrate or modify the contents of the Fleet database, including user credentials, API tokens, and device enrollment secrets. Version 4.81.0 patches the issue.

INFO

Published Date :

2026-03-27T18:29:05.556Z

Last Modified :

2026-03-27T18:29:05.556Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-34385 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-34385.

URL	Resource
https://github.com/fleetdm/fleet/security/advisories/GHSA-v895-833r-8c45

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Attack Requirements

Privileges Required

User Interaction

VS Confidentiality

VS Integrity

VS Availability

SS Confidentiality

SS Integrity

SS Availability