CVE-2026-34385: Second-Order SQL Injection in Fleet Apple MDM Profile Delivery
Vulnerability ID: CVE-2026-34385
CVSS Score: 6.2
Published: 2026-03-30
Fleet open-source device management software prior to version 4.81.0 contains a second-order SQL injection vulnerability in its Apple MDM profile delivery pipeline. An attacker with a valid MDM enrollment certificate can exploit this flaw to execute arbitrary database modifications.
TL;DR
A second-order SQL injection in Fleet's Apple MDM pipeline allows authenticated attackers to inject malicious payloads via the UDID field. Due to multi-statement database configurations, this flaw permits arbitrary data exfiltration and database modification. Upgrading to version 4.81.0 remediates the vulnerability.
Technical Details
- CWE ID: CWE-89
- Attack Vector: Network (AV:N)
- CVSS Score: 6.2
- EPSS Score: 0.00018
- Exploit Status: None Public
- CISA KEV: Not Listed
Affected Systems
- Fleet Apple MDM Profile Delivery Pipeline
-
Fleet: < 4.81.0 (Fixed in:
4.81.0)
Mitigation Strategies
- Upgrade Fleet to version 4.81.0.
- Disable Apple MDM functionality if patching is not immediately feasible.
- Audit database logs for anomalous multi-statement queries or unauthorized administrative account creation.
Remediation Steps:
- Verify the current running version of Fleet via the API or web interface.
- Schedule a maintenance window for deployment.
- Download the Fleet 4.81.0 release binary or container image.
- Deploy the update following standard operational procedures.
- Validate that Apple MDM profile delivery functions correctly post-upgrade.
References
- GitHub Security Advisory: GHSA-v895-833r-8c45
- NVD Entry for CVE-2026-34385
- Fleet Releases
- OSV Database Entry
- CVE.org Record
Read the full report for CVE-2026-34385 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)