CVE-2026-34385: Fleet's Apple MDM profile delivery has second-order SQL Injection that can compromise the database

March 30, 2026

A critical second-order SQL Injection vulnerability in Fleet’s Apple MDM profile delivery pipeline could allow an attacker with a valid MDM enrollment certificate to exfiltrate or modify the contents of the Fleet database, including user credentials, API tokens, and device enrollment secrets.

References

github.com/advisories/GHSA-v895-833r-8c45
github.com/fleetdm/fleet
github.com/fleetdm/fleet/security/advisories/GHSA-v895-833r-8c45
nvd.nist.gov/vuln/detail/CVE-2026-34385

Code Behaviors & Features

Detect and mitigate CVE-2026-34385 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →