CVE-2026-34386 — Vulnetix

Try Vulnetix Request Demo

CVE-2026-34386 PUBLISHED CVSS 6.300000190734863 MEDIUM

Fleet is open source device management software. Prior to 4.81.0, a SQL injection vulnerability in Fleet's MDM bootstrap package configuration allows an authenticated user with Team Admin or Global Admin privileges to modify arbitrary team configurations, exfiltrate sensitive data from the Fleet database, and inject arbitrary content into team configs via direct API calls. Version 4.81.0 patches the issue.

EPSS 0.03% · 8.6th percentile

Risk Scores

CVSS v4.0

6.300000190734863

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U

EPSS Score

0.03%

8.6th percentile

Affected Products

Vendor	Product	Versions
fleetdm	fleet	< 4.81.0, < 4.81.0, < 4.81.0
github.com	fleetdm/fleet/v4	0

Timeline

Mar 27, 2026 Coalition ESS Score
Mar 27, 2026 CVE Published
Mar 28, 2026 EPSS Score
Mar 30, 2026 CVE Updated
Mar 31, 2026 Security Advisory
Apr 2, 2026 PoC Published

References

Open in Interactive Console →