Fleet is an open source device management platform widely used to manage and monitor endpoints, including Apple devices via Mobile Device Management (MDM). CVE-2026-34385 identifies a second-order SQL injection vulnerability in Fleet's Apple MDM profile delivery pipeline present in versions prior to 4.81.0. This vulnerability arises from improper neutralization of special elements in SQL commands (CWE-89), allowing malicious input to be stored and later executed as part of SQL queries. An attacker possessing a valid MDM enrollment certificate can exploit this flaw remotely without additional user interaction or elevated privileges beyond the certificate. The exploitation enables unauthorized reading or modification of the Fleet database, potentially exposing or altering sensitive information such as user credentials, API tokens, and device enrollment secrets. This can lead to further compromise of the device management infrastructure and connected endpoints. The vulnerability has a CVSS 4.0 base score of 6.2, reflecting medium severity due to the requirement of a valid certificate but no user interaction or complex attack conditions. The issue was publicly disclosed on March 27, 2026, and patched in Fleet version 4.81.0. No known exploits are currently reported in the wild, but the sensitive nature of the data at risk makes timely remediation critical.

The impact of CVE-2026-34385 is significant for organizations relying on Fleet for device management, especially those managing Apple devices via MDM. Successful exploitation can lead to unauthorized disclosure and modification of critical data, including user credentials and API tokens, which can cascade into broader system compromise. Attackers could potentially manipulate device enrollment secrets, undermining the integrity of device management and enabling persistent unauthorized access or device control. This could disrupt operational continuity, lead to data breaches, and erode trust in the organization's security posture. Given Fleet's role in managing potentially thousands of devices, the scope of impact can be extensive, affecting confidentiality, integrity, and availability of device management services. The requirement for a valid MDM enrollment certificate limits the attack surface but does not eliminate risk, as certificate compromise or insider threats could facilitate exploitation.

Organizations should immediately upgrade Fleet to version 4.81.0 or later to apply the official patch addressing this SQL injection vulnerability. Additionally, they should audit and restrict issuance and management of MDM enrollment certificates to minimize the risk of certificate misuse. Implement strict access controls and monitoring around the Fleet management infrastructure to detect anomalous activities indicative of exploitation attempts. Employ database activity monitoring to identify suspicious queries or unauthorized data access. Regularly review and rotate sensitive credentials and API tokens stored within Fleet. Consider network segmentation to limit exposure of Fleet servers to only trusted management networks. Conduct security training for administrators managing MDM certificates to prevent social engineering or insider threats. Finally, maintain up-to-date backups of Fleet databases to enable recovery in case of data tampering.