Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
Fleet is open source device management software. Prior to 4.81.0, a second-order SQL injection vulnerability in Fleet's Apple MDM profile delivery pipeline could allow an attacker with a valid MDM enrollment certificate to exfiltrate or modify the contents of the Fleet database, including user credentials, API tokens, and device enrollment secrets. Version 4.81.0 patches the issue.
AnalysisAI
SQL injection in Fleet's Apple MDM profile delivery pipeline before version 4.81.0 allows authenticated attackers with valid MDM enrollment certificates to exfiltrate or modify database contents, including user credentials, API tokens, and device enrollment secrets. This second-order SQL injection vulnerability affects the cpe:2.3:a:fleetdm:fleet product line and requires valid MDM enrollment credentials to exploit, limiting the attack surface to adversaries who have already established trust within the MDM enrollment process. No public exploit code or active exploitation has been identified at the time of this analysis.
Technical ContextAI
Fleet is an open-source device management platform that integrates with Apple's Mobile Device Management (MDM) infrastructure to manage enrolled Apple devices. The vulnerability is classified as CWE-89 (SQL Injection), specifically a second-order variant where malicious input is stored during MDM profile delivery and later executed as SQL commands when that data is processed. Second-order SQL injection is particularly dangerous because the attack vector and execution point are separated, making detection and input validation more difficult. The attack occurs within Fleet's MDM profile delivery pipeline, which handles certificate-based authentication and device enrollment workflows. The vulnerability requires an attacker to possess a valid MDM enrollment certificate, indicating the attack surface is limited to entities that have successfully participated in an MDM trust establishment process.
RemediationAI
Upgrade Fleet to version 4.81.0 or later immediately to apply the vendor-released patch that addresses the SQL injection vulnerability. Organizations unable to upgrade immediately should restrict network access to Fleet instances to trusted internal networks and enforce strong authentication controls on MDM enrollment certificate issuance, limiting certificate distribution to known and trusted devices. Additionally, implement database access controls and monitor SQL query logs for suspicious patterns indicative of SQL injection attempts. Review MDM enrollment certificate logs to identify any certificates issued to unexpected principals. The official patch and migration guidance are available in the vendor security advisory at https://github.com/fleetdm/fleet/security/advisories/GHSA-v895-833r-8c45.
Same weakness CWE-89 – SQL Injection
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16754
GHSA-v895-833r-8c45