CVE-2026-34386: Fleet vulnerable to SQL Injection in MDM bootstrap package by authenticated team or global admin

March 30, 2026

A SQL Injection vulnerability in Fleet’s MDM bootstrap package configuration allows an authenticated user with Team Admin or Global Admin privileges to modify arbitrary team configurations, exfiltrate sensitive data from the Fleet database, and inject arbitrary content into team configs via direct API calls.

References

github.com/advisories/GHSA-9p23-p2m4-2r4m
github.com/fleetdm/fleet
github.com/fleetdm/fleet/security/advisories/GHSA-9p23-p2m4-2r4m
nvd.nist.gov/vuln/detail/CVE-2026-34386

Code Behaviors & Features

Detect and mitigate CVE-2026-34386 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →