CVE-2026-34386HIGH 8.8EPSS p23.3%

CVE-2026-34386CVE-2026-34386

Description

Fleet is open source device management software. Prior to 4.81.0, a SQL injection vulnerability in Fleet's MDM bootstrap package configuration allows an authenticated user with Team Admin or Global Admin privileges to modify arbitrary team configurations, exfiltrate sensitive data from the Fleet database, and inject arbitrary content into team configs via direct API calls. Version 4.81.0 patches the issue.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.32% probability of exploitation · percentile 23.3% · 2026-06-19T12:03:05Z
Published2026-03-27
Last modified2026-04-02

Underlying weaknesses· 1

CWE-89

References

  1. https://github.com/fleetdm/fleet/security/advisories/GHSA-9p23-p2m4-2r4m

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection')cwe-890%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-34385
CVE
CVE-2026-34387
CVE
CVE-2026-26186
CVE
CVE-2026-26191
CVE
CVE-2026-23518
CVE
CVE-2026-29180
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.