📄 Description (English)
Fleet is open source device management software. Prior to 4.81.0, a SQL injection vulnerability in Fleet's MDM bootstrap package configuration allows an authenticated user with Team Admin or Global Admin privileges to modify arbitrary team configurations, exfiltrate sensitive data from the Fleet database, and inject arbitrary content into team configs via direct API calls. Version 4.81.0 patches the issue.
🤖 AI Executive Summary
CVE-2026-34386 is a SQL injection vulnerability in Fleet device management software (versions prior to 4.81.0) that allows authenticated administrators to execute arbitrary SQL queries, exfiltrate sensitive database information, and modify team configurations. With a CVSS score of 8.8, this vulnerability poses significant risk to organizations using Fleet for MDM operations. The vulnerability requires admin-level privileges but enables complete database compromise and lateral movement within managed device ecosystems.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 23, 2026 05:20
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations using Fleet for enterprise device management face critical risk, particularly: (1) Government agencies and NCA-regulated entities managing sensitive citizen data and national security infrastructure; (2) ARAMCO and energy sector operators using Fleet for industrial device management and SCADA systems; (3) Banking sector (SAMA-regulated) institutions using Fleet for endpoint management of financial systems; (4) Telecom providers (STC, Mobily) managing network infrastructure and customer devices; (5) Healthcare organizations managing medical devices and patient data systems. The SQL injection allows attackers with admin access to exfiltrate entire databases containing credentials, configuration data, and sensitive operational information critical to Saudi critical infrastructure.
🏢 Affected Saudi Sectors
Government and Public Administration
Banking and Financial Services
Energy and Utilities
Telecommunications
Healthcare
Critical Infrastructure
Defense and Security
🎯 MITRE ATT&CK Techniques
T1190 - Exploit Public-Facing Application (API exploitation)
T1110 - Brute Force (credential abuse with admin access)
T1557 - Man-in-the-Middle (potential data interception)
T1005 - Data from Local System (database exfiltration)
T1041 - Exfiltration Over C2 Channel (sensitive data extraction)
T1078 - Valid Accounts (abuse of admin privileges)
T1136 - Create Account (potential account injection via SQL)
T1565 - Data Manipulation (modification of team configurations)
T1530 - Data from Cloud Storage (database compromise)
⚖️ Saudi Risk Score (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all Fleet instances in your environment and document versions (check /api/v1/fleet/version endpoint)
2. Restrict API access to Fleet MDM bootstrap endpoints to only necessary service accounts
3. Implement network segmentation isolating Fleet servers from untrusted networks
4. Enable comprehensive audit logging for all API calls to Fleet, particularly those modifying team configurations
5. Review recent API access logs for suspicious SQL-like patterns in bootstrap configuration parameters
PATCHING GUIDANCE:
1. Upgrade Fleet to version 4.81.0 or later immediately (critical priority)
2. If immediate patching is not possible, disable MDM bootstrap functionality until patched
3. Test patches in non-production environment first given database-critical nature
COMPENSATING CONTROLS (if patch delayed):
1. Implement Web Application Firewall (WAF) rules to detect SQL injection patterns in API requests (monitor for: UNION, SELECT, DROP, INSERT, UPDATE, DELETE in bootstrap config parameters)
2. Apply principle of least privilege - audit and remove unnecessary admin accounts
3. Implement database-level query monitoring and alerting for suspicious SQL patterns
4. Use database activity monitoring (DAM) solutions to detect unauthorized data exfiltration
5. Implement API rate limiting and request validation on bootstrap endpoints
DETECTION RULES:
1. Alert on API calls to /api/v1/fleet/teams/*/mdm/bootstrap containing SQL keywords
2. Monitor for unusual database query patterns from Fleet service account
3. Alert on bulk data exports or SELECT queries returning >1000 rows from sensitive tables
4. Track modifications to team configurations outside normal change windows
5. Monitor for failed authentication attempts followed by successful admin API calls
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. حدد جميع مثيلات Fleet في بيئتك وتوثيق الإصدارات (تحقق من نقطة نهاية /api/v1/fleet/version)
2. قيد وصول API إلى نقاط نهاية تمهيد MDM في Fleet إلى حسابات الخدمة الضرورية فقط
3. طبق تقسيم الشبكة لعزل خوادم Fleet عن الشبكات غير الموثوقة
4. فعّل تسجيل التدقيق الشامل لجميع استدعاءات API إلى Fleet، خاصة تلك التي تعدل تكوينات الفريق
5. راجع سجلات وصول API الأخيرة للبحث عن أنماط مريبة تشبه SQL في معاملات تكوين التمهيد
إرشادات التصحيح:
1. قم بترقية Fleet إلى الإصدار 4.81.0 أو أحدث على الفور (أولوية حرجة)
2. إذا لم يكن التصحيح الفوري ممكناً، عطّل وظيفة تمهيد MDM حتى يتم التصحيح
3. اختبر التصحيحات في بيئة غير الإنتاج أولاً نظراً لطبيعة قاعدة البيانات الحرجة
الضوابط البديلة (إذا تأخر التصحيح):
1. طبق قواعد جدار حماية تطبيقات الويب (WAF) للكشف عن أنماط حقن SQL في طلبات API
2. طبق مبدأ أقل امتياز - قم بتدقيق وإزالة حسابات المسؤول غير الضرورية
3. طبق مراقبة الاستعلامات على مستوى قاعدة البيانات والتنبيهات للأنماط المريبة
4. استخدم حلول مراقبة نشاط قاعدة البيانات (DAM) للكشف عن تسرب البيانات غير المصرح به
5. طبق تحديد معدل API والتحقق من الطلبات على نقاط نهاية التمهيد
قواعد الكشف:
1. تنبيه على استدعاءات API التي تحتوي على كلمات رئيسية SQL في معاملات التمهيد
2. راقب أنماط استعلامات قاعدة البيانات غير العادية من حساب خدمة Fleet
3. تنبيه على تصدير البيانات بكميات كبيرة أو استعلامات SELECT التي تُرجع أكثر من 1000 صف
4. تتبع التعديلات على تكوينات الفريق خارج نوافذ التغيير العادية
5. راقب محاولات المصادقة الفاشلة متبوعة باستدعاءات API للمسؤول الناجحة
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 - Access Control Policies (admin privilege abuse)
ECC 2024 A.5.2.1 - User Registration and Access Rights Management
ECC 2024 A.6.1.2 - Restriction of Access to Information (SQL injection data exfiltration)
ECC 2024 A.12.2.1 - Event Logging (audit trail of API modifications)
ECC 2024 A.12.4.1 - Recording User Activities (admin action logging)
ECC 2024 A.14.2.1 - Secure Development Policy (input validation, parameterized queries)
🔵 SAMA CSF
SAMA CSF ID.AM-2 - Asset Management (inventory of Fleet instances)
SAMA CSF PR.AC-1 - Access Control (admin privilege management)
SAMA CSF PR.DS-2 - Data Security (protection against SQL injection)
SAMA CSF DE.AE-1 - Anomalies and Events (detection of suspicious API calls)
SAMA CSF DE.CM-1 - Detection Processes (monitoring for SQL injection patterns)
SAMA CSF RS.AN-1 - Analysis (incident investigation of database access)
🟡 ISO 27001:2022
ISO 27001:2022 A.5.2 - User Access Management (admin privilege controls)
ISO 27001:2022 A.5.3 - Access Control (principle of least privilege)
ISO 27001:2022 A.8.3 - Cryptography (secure API communication)
ISO 27001:2022 A.12.4 - Logging (comprehensive audit trails)
ISO 27001:2022 A.14.2 - Secure Development (input validation, parameterized queries)
ISO 27001:2022 A.16.1 - Incident Management (detection and response procedures)
🟣 PCI DSS v4.0
PCI DSS 2.1 - Change default passwords and security parameters
PCI DSS 6.5.1 - Injection flaws prevention (parameterized queries)
PCI DSS 8.1 - User Access Control (admin account management)
PCI DSS 10.2 - User Activity Logging (API call audit trails)
PCI DSS 10.3 - Protection of Audit Trails (log integrity)
📦 Affected Products / CPE 1 entries
fleetdm:fleet