CVE-2026-22808
published 2026-01-21CVE-2026-22808: fleetdm/fleet is open source device management software. Prior to versions 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, if Windows MDM is enabled, an…
PriorityP334medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.21%
11.1th percentile
fleetdm/fleet is open source device management software. Prior to versions 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, if Windows MDM is enabled, an unauthenticated attacker can exploit this XSS vulnerability to steal a Fleet administrator's authentication token (FLEET::auth_token) from localStorage. This could allow unauthorized access to Fleet, including administrative access, visibility into device data, and modification of configuration. Versions 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 fix the issue. If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fleetdm | fleet | < 4.53.3 | 4.53.3 |
| fleetdm | fleet | — | — |
| fleetdm | fleet | — | — |
| fleetdm | fleet | — | — |
| fleetdm | fleet | — | — |
| fleetdm | fleet | >= 4.75.0 < 4.75.2 | 4.75.2 |
| fleetdm | fleet | >= 4.76.0 < 4.76.2 | 4.76.2 |
| fleetdm | fleet | >= 4.78.0 < 4.78.2 | 4.78.2 |
| github.com | fleetdm_fleet | >= 4.75.0 < 4.75.2 | 4.75.2 |
| github.com | fleetdm_fleet | >= 4.76.0 < 4.76.2 | 4.76.2 |
| github.com | fleetdm_fleet | >= 4.77.0 < 4.77.1 | 4.77.1 |
| github.com | fleetdm_fleet | >= 4.78.0 < 4.78.2 | 4.78.2 |
| github.com | fleetdm_fleet_v4 | >= 0 < 4.43.5-0.20260111020427-0e6c790803d1 | 4.43.5-0.20260111020427-0e6c790803d1 |
| github.com | fleetdm_fleet_v4 | >= 4.75.0 < 4.75.2 | 4.75.2 |
| github.com | fleetdm_fleet_v4 | >= 4.76.0 < 4.76.2 | 4.76.2 |
| github.com | fleetdm_fleet_v4 | >= 4.77.0 < 4.77.1 | 4.77.1 |
| github.com | fleetdm_fleet_v4 | >= 4.78.0 < 4.78.2 | 4.78.2 |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv4.05.5MEDIUMCVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Fleet Windows MDM endpoint has a Cross-site Scripting vulnerability in github.com/fleetdm/fleet
osv·2026-02-03
CVE-2026-22808 Fleet Windows MDM endpoint has a Cross-site Scripting vulnerability in github.com/fleetdm/fleet
Fleet Windows MDM endpoint has a Cross-site Scripting vulnerability in github.com/fleetdm/fleet
Fleet Windows MDM endpoint has a Cross-site Scripting vulnerability in github.com/fleetdm/fleet
OSV
Fleet Windows MDM endpoint has a Cross-site Scripting vulnerability
osv·2026-01-20
CVE-2026-22808 [MEDIUM] Fleet Windows MDM endpoint has a Cross-site Scripting vulnerability
Fleet Windows MDM endpoint has a Cross-site Scripting vulnerability
### Summary
A cross-site scripting (XSS) vulnerability in Fleet’s Windows MDM authentication flow could allow an attacker to compromise a Fleet user account. In certain cases, this could lead to administrative access and the ability to perform privileged actions on managed devices.
### Impact
If Windows MDM is enabled, an attacker could exploit a cross-site scripting (XSS) vulnerability by convincing an authenticated Fleet user to visit a malicious link. Successful exploitation could allow retrieval of the user’s Fleet authentication token from their browser.
A compromised authentication token may grant administrative access to the Fleet API, allowing an attacker to perform privileged actions such as deploying scripts
GHSA
Fleet Windows MDM endpoint has a Cross-site Scripting vulnerability
ghsa·2026-01-20
CVE-2026-22808 [MEDIUM] CWE-79 Fleet Windows MDM endpoint has a Cross-site Scripting vulnerability
Fleet Windows MDM endpoint has a Cross-site Scripting vulnerability
### Summary
A cross-site scripting (XSS) vulnerability in Fleet’s Windows MDM authentication flow could allow an attacker to compromise a Fleet user account. In certain cases, this could lead to administrative access and the ability to perform privileged actions on managed devices.
### Impact
If Windows MDM is enabled, an attacker could exploit a cross-site scripting (XSS) vulnerability by convincing an authenticated Fleet user to visit a malicious link. Successful exploitation could allow retrieval of the user’s Fleet authentication token from their browser.
A compromised authentication token may grant administrative access to the Fleet API, allowing an attacker to perform privileged actions such as deploying scripts
No detection rules found.
No public exploits indexed.
2026-01-21
Published