PT-2026-28627 · Fleet · Fleet

Prateek-0490

Publicado

2026-03-27

Atualizado

2026-04-07

CVE-2026-34386

CVSS v3.1

8.8

Alta

Vetor

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Fleet versions prior to 4.81.0

Description Fleet is open source device management software susceptible to a SQL injection issue in its MDM bootstrap package configuration. An authenticated user possessing Team Admin or Global Admin privileges can modify team configurations, extract sensitive data from the Fleet database, and inject content into team configurations through direct API calls. The vulnerable API calls are related to the MDM bootstrap package configuration. The vulnerability allows modification of arbitrary team configurations via direct API calls.

Recommendations Update to version 4.81.0 or later.

Exploit

Correção

SQL injection

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-89

Identificadores relacionados

CVE-2026-34386

GHSA-9P23-P2M4-2R4M

GO-2026-4913

SUSE-SU-2026:1205-1

Produtos afetados

Fleet

PT-2026-28627 · Fleet · Fleet

CVE-2026-34386

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 46