CVE-2026-34385 Overview
A second-order SQL injection vulnerability has been identified in Fleet, the open source device management software. The flaw exists in Fleet's Apple MDM profile delivery pipeline and could allow an attacker with a valid MDM enrollment certificate to exfiltrate or modify the contents of the Fleet database. This includes sensitive data such as user credentials, API tokens, and device enrollment secrets.
Critical Impact
Attackers with valid MDM enrollment certificates can exploit this SQL injection vulnerability to access and modify critical database contents including credentials and API tokens.
Affected Products
- Fleet versions prior to 4.81.0
- Fleet Apple MDM profile delivery pipeline component
Discovery Timeline
- 2026-03-27 - CVE CVE-2026-34385 published to NVD
- 2026-03-30 - Last updated in NVD database
Technical Details for CVE-2026-34385
Vulnerability Analysis
This vulnerability is classified as a second-order SQL injection (CWE-89), which differs from traditional SQL injection in that the malicious payload is not immediately executed. Instead, the attack payload is first stored in the database and later executed when the data is retrieved and used in a subsequent SQL query without proper sanitization.
In the context of Fleet's Apple MDM profile delivery pipeline, an attacker who possesses a valid MDM enrollment certificate can inject malicious SQL statements that are stored and later processed by the system. This allows the attacker to bypass traditional input validation that might exist at the initial data entry point.
The vulnerability enables both data exfiltration and modification capabilities, meaning attackers can read sensitive information from the database as well as alter existing records. The compromised data types include user credentials, API tokens, and device enrollment secrets—all critical components for maintaining the security posture of managed devices.
Root Cause
The root cause of this vulnerability lies in improper input sanitization within the MDM profile delivery pipeline. When processing data associated with enrolled devices, the application fails to properly parameterize SQL queries, allowing previously stored malicious input to be interpreted as SQL commands during subsequent database operations.
Attack Vector
The attack requires network access and a valid MDM enrollment certificate, which serves as the prerequisite authentication. An attacker would:
- Obtain or compromise a valid MDM enrollment certificate
- Submit specially crafted data through the enrollment process
- Wait for the malicious payload to be processed by the profile delivery pipeline
- Extract or modify database contents through the injected SQL statements
The second-order nature of this attack makes it particularly insidious as the malicious input may pass initial validation checks, only to be weaponized when retrieved and used in subsequent queries.
Detection Methods for CVE-2026-34385
Indicators of Compromise
- Unusual SQL error messages in Fleet server logs related to MDM profile operations
- Unexpected database query patterns originating from the MDM profile delivery component
- Evidence of bulk data extraction or unusual SELECT statements in database audit logs
- Modified user credentials, API tokens, or enrollment secrets without legitimate administrative action
Detection Strategies
- Implement database activity monitoring to detect anomalous SQL query patterns
- Enable detailed logging for the MDM profile delivery pipeline and review for suspicious activity
- Monitor for authentication failures that may indicate use of exfiltrated credentials
- Deploy web application firewalls (WAF) with SQL injection detection rules targeting MDM endpoints
Monitoring Recommendations
- Audit database access logs for unusual queries against user credential and API token tables
- Set up alerts for any direct database modifications outside of normal application operations
- Monitor Fleet server logs for errors related to SQL syntax or database operations
- Track MDM enrollment certificate usage patterns to identify potential abuse
How to Mitigate CVE-2026-34385
Immediate Actions Required
- Upgrade Fleet to version 4.81.0 or later immediately
- Rotate all API tokens and device enrollment secrets as a precautionary measure
- Force password resets for all Fleet user accounts
- Audit database contents for signs of unauthorized access or modification
- Review MDM enrollment certificate inventory and revoke any suspicious certificates
Patch Information
Fleet has addressed this vulnerability in version 4.81.0. Organizations should upgrade to this version or later to remediate the SQL injection flaw. The security advisory is available on GitHub Security Advisory GHSA-v895-833r-8c45.
Workarounds
- Restrict network access to Fleet MDM endpoints to trusted networks only
- Implement additional network segmentation around Fleet infrastructure
- Deploy database activity monitoring to detect and alert on suspicious queries
- Consider temporarily disabling MDM profile delivery features until patching is complete
- Implement strict MDM certificate management with regular audits and short validity periods
# Upgrade Fleet to patched version
# Using Fleet official upgrade process
fleet upgrade --version 4.81.0
# Rotate API tokens after upgrade
fleet api-token rotate --all
# Force credential reset for all users
fleet user reset-password --all-users
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
