CVE-2026-34391 MEDIUM

CVE-2026-34391: Fleet Vulnerable to Windows MDM cross-device command disclosure

Vendor Fleetdm
Product fleet
Weakness CWE-488
Published March 27, 2026
Last update March 27, 2026

CVSS base score

6.6/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U

What the vulnerability does

01Description

Fleet is open source device management software. Prior to 4.81.1, a vulnerability in Fleet's Windows MDM command processing allows a malicious enrolled device to access MDM commands intended for other devices, potentially exposing sensitive configuration data such as WiFi credentials, VPN secrets, and certificate payloads across the entire Windows fleet. Version 4.81.1 patches the issue.

Key dates

02Disclosure timeline

March 27, 2026 CVE published
March 27, 2026 Record updated