VDB

CVE-2026-34386

CVE-2026-34386 PUBLISHED CVSS 6.300000190734863 MEDIUM

Fleet is open source device management software. Prior to 4.81.0, a SQL injection vulnerability in Fleet's MDM bootstrap package configuration allows an authenticated user with Team Admin or Global Admin privileges to modify arbitrary team configurations, exfiltrate sensitive data from the Fleet database, and inject arbitrary content into team configs via direct API calls. Version 4.81.0 patches the issue.

EPSS 0.02% · 3.7th percentile

Risk Scores

CVSS 4.0
6.300000190734863
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
EPSS Score
0.02%
3.7th percentile

Affected Products

VendorProductVersions
fleetdmfleet< 4.81.0, < 4.81.0, < 4.81.0
github.comfleetdm/fleet/v40

Timeline

  • Mar 27, 2026 Coalition ESS Score
  • Mar 27, 2026 CVE Published
  • Mar 28, 2026 EPSS Score
  • Mar 31, 2026 Security Advisory
  • Apr 2, 2026 PoC Published
  • Apr 2, 2026 CVE Updated
  • May 18, 2026 EPSS Score
  • May 19, 2026 EPSS Score
  • May 20, 2026 EPSS Score
  • May 21, 2026 EPSS Score
  • May 22, 2026 EPSS Score
  • May 23, 2026 EPSS Score
Open in Interactive Console →
$ Console Community · 100/wk Open console ›