Nixpkgs Security Tracker

Login with GitHub

Details of issue NIXPKGS-2026-0830

NIXPKGS-2026-0830
published on 28 Mar 2026
Permalink CVE-2026-34386
updated 2 days, 10 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 3 days, 2 hours ago
  • @LeSuisse removed
    20 packages
    • fleetctl
    • fleeting-plugin-aws
    • azure-cli-extensions.fleet
    • python312Packages.tesla-fleet-api
    • python313Packages.tesla-fleet-api
    • python314Packages.tesla-fleet-api
    • haskellPackages.amazonka-iotfleethub
    • haskellPackages.amazonka-iotfleetwise
    • python312Packages.mypy-boto3-iotfleethub
    • python313Packages.mypy-boto3-iotfleethub
    • python314Packages.mypy-boto3-iotfleethub
    • python312Packages.mypy-boto3-iotfleetwise
    • python313Packages.mypy-boto3-iotfleetwise
    • python314Packages.mypy-boto3-iotfleetwise
    • home-assistant-component-tests.tesla_fleet
    • python312Packages.types-aiobotocore-iotfleethub
    • python313Packages.types-aiobotocore-iotfleethub
    • python312Packages.types-aiobotocore-iotfleetwise
    • python313Packages.types-aiobotocore-iotfleetwise
    • tests.home-assistant-component-tests.tesla_fleet
    2 days, 10 hours ago
  • @LeSuisse accepted 2 days, 10 hours ago
  • @LeSuisse published on GitHub 2 days, 10 hours ago
Fleet vulnerable to SQL injection in MDM bootstrap package by authenticated team or global admin

Fleet is open source device management software. Prior to 4.81.0, a SQL injection vulnerability in Fleet's MDM bootstrap package configuration allows an authenticated user with Team Admin or Global Admin privileges to modify arbitrary team configurations, exfiltrate sensitive data from the Fleet database, and inject arbitrary content into team configs via direct API calls. Version 4.81.0 patches the issue.

References

Affected products

fleet
  • ==< 4.81.0

Matching in nixpkgs

Ignored packages (20)

Package maintainers

Advisory: https://github.com/fleetdm/fleet/security/advisories/GHSA-9p23-p2m4-2r4m