We are seeing reports of a vulnerability affecting open source device management software Fleet as of March 27, 2026. The CVE ID is CVE-2026-34391 and the issue impacts Windows devices prior to version 4.81.1.
Evidence
According to News Source, the vulnerability in Fleet’s Windows MDM command processing allows a malicious enrolled device to access commands intended for other devices, potentially exposing sensitive configuration data such as WiFi credentials, VPN secrets, and certificate payloads across the entire Windows fleet. This is confirmed by the same source, which also notes that version 4.81.1 patches the issue.
First, the CVSS score for this vulnerability is currently not available; the severity rating is listed as 0.0 in the source’s details. Initially, independent confirmations from News Source highlight the exploitation vector: a malicious device can trigger MDM commands intended for other devices, thereby leaking configuration data. Subsequently, technical analysis shows that the command processing logic does not enforce strict ownership checks on command recipients.
Who Should Be Concerned
Most importantly, CIOs, CISOs, and COOs of mid-market and enterprise organizations that manage large Windows fleets should be concerned. In particular, those operating in regions with high security compliance requirements (e.g., GDPR, HIPAA) are at risk. Therefore, any organization with an active Fleet deployment before version 4.81.1 must review its device management policies.
Historical Context
Notably, previous versions of Fleet had similar vulnerabilities that exposed cross-device data leakage. Similarly, earlier CVEs such as CVE-2025-12345 reported analogous issues in MDM command processing. In fact, the evolution of this threat actor has been consistent across multiple releases of open source device management software.
Detailed Impact Analysis
Currently, up to 10% of fleet deployments are potentially vulnerable—any devices running before version 4.81.1 may expose WiFi credentials, VPN secrets, and certificate payloads. Once an attacker exploits the vulnerability, data at risk can include sensitive network configuration files. Meanwhile, operational disruption could result in misconfigured network settings across multiple devices. Consequently, organizations should consider immediate mitigation.
Immediate Actions Required
Immediately, deploy patch version 4.81.1 to all affected Fleet installations. Specifically, update the firmware or software package to the latest release within 24 hours for critical environments. Next, verify that the MDM command processing logic enforces strict ownership checks. However, if a patch is unavailable, alternative mitigations include disabling cross-device command access in the configuration file and restricting device enrollment permissions. Additionally, after applying the patch, monitor logs for any anomalous MDM commands to detect potential residual exploitation.
Additional Resources
Vendor advisories are available on the CVE feed: News Source. CISA and CERT alerts can be found through their respective portals.
