PT-2026-28627 · Fleet · Fleet
Prateek-0490
·
Published
2026-03-27
·
Updated
2026-04-07
·
CVE-2026-34386
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Fleet versions prior to 4.81.0
Description
Fleet is open source device management software susceptible to a SQL injection issue in its MDM bootstrap package configuration. An authenticated user possessing Team Admin or Global Admin privileges can modify team configurations, extract sensitive data from the Fleet database, and inject content into team configurations through direct API calls. The vulnerable API calls are related to the MDM bootstrap package configuration. The vulnerability allows modification of arbitrary team configurations via direct API calls.
Recommendations
Update to version 4.81.0 or later.
Exploit
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Fleet