SQL Injection in Fleetdm Fleet

CVE-2026-34385

Fleet is open source device management software. Prior to 4.81.0, a second-order SQL injection vulnerability in Fleet's Apple MDM profile delivery pipeline could allow an attacker with a valid MDM enrollment certificate to exfiltrate or mo…

Vulnerability class: SQL Injection

EPSS: 0.000 (1.0th percentile) — read the EPSS interpretation.

Affected products

Fleetdm Fleet — versions < 4.81.0

Weakness classification (CWE)

CWE-89 — SQL Injection

References

https://github.com/fleetdm/fleet/security/advisories/GHSA-v895-833r-8c45 (x_refsource_CONFIRM)