cbcvebase.
CVE-2026-22808
published 2026-01-21

CVE-2026-22808: fleetdm/fleet is open source device management software. Prior to versions 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, if Windows MDM is enabled, an…

PriorityP334medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.21%
11.1th percentile
fleetdm/fleet is open source device management software. Prior to versions 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, if Windows MDM is enabled, an unauthenticated attacker can exploit this XSS vulnerability to steal a Fleet administrator's authentication token (FLEET::auth_token) from localStorage. This could allow unauthorized access to Fleet, including administrative access, visibility into device data, and modification of configuration. Versions 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 fix the issue. If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM.

Affected

17 ranges
VendorProductVersion rangeFixed in
fleetdmfleet< 4.53.34.53.3
fleetdmfleet
fleetdmfleet
fleetdmfleet
fleetdmfleet
fleetdmfleet>= 4.75.0 < 4.75.24.75.2
fleetdmfleet>= 4.76.0 < 4.76.24.76.2
fleetdmfleet>= 4.78.0 < 4.78.24.78.2
github.comfleetdm_fleet>= 4.75.0 < 4.75.24.75.2
github.comfleetdm_fleet>= 4.76.0 < 4.76.24.76.2
github.comfleetdm_fleet>= 4.77.0 < 4.77.14.77.1
github.comfleetdm_fleet>= 4.78.0 < 4.78.24.78.2
github.comfleetdm_fleet_v4>= 0 < 4.43.5-0.20260111020427-0e6c790803d14.43.5-0.20260111020427-0e6c790803d1
github.comfleetdm_fleet_v4>= 4.75.0 < 4.75.24.75.2
github.comfleetdm_fleet_v4>= 4.76.0 < 4.76.24.76.2
github.comfleetdm_fleet_v4>= 4.77.0 < 4.77.14.77.1
github.comfleetdm_fleet_v4>= 4.78.0 < 4.78.24.78.2

CVSS provenance

nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv4.05.5MEDIUMCVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.