CVE-2026-23518
published 2026-01-21CVE-2026-23518: Fleet is open source device management software. In versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, a vulnerability in Fleet's Windows MDM…
PriorityP271critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.23%
13.2th percentile
Fleet is open source device management software. In versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, a vulnerability in Fleet's Windows MDM enrollment flow could allow an attacker to submit forged authentication tokens that are not properly validated. Because JWT signatures were not verified, Fleet could accept attacker-controlled identity claims, enabling enrollment of unauthorized devices under arbitrary Azure AD user identities. Versions 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 fix the issue. If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fleetdm | fleet | < 4.53.3 | 4.53.3 |
| fleetdm | fleet | — | — |
| fleetdm | fleet | — | — |
| fleetdm | fleet | — | — |
| fleetdm | fleet | — | — |
| fleetdm | fleet | — | — |
| fleetdm | fleet | >= 4.75.0 < 4.75.2 | 4.75.2 |
| fleetdm | fleet | >= 4.76.0 < 4.76.2 | 4.76.2 |
| fleetdm | fleet | >= 4.78.0 < 4.78.3 | 4.78.3 |
| github.com | fleetdm_fleet | >= 0 < 4.43.5-0.20260112202845-e225ef57912c | 4.43.5-0.20260112202845-e225ef57912c |
| github.com | fleetdm_fleet | >= 4.75.0 < 4.75.2 | 4.75.2 |
| github.com | fleetdm_fleet | >= 4.76.0 < 4.76.2 | 4.76.2 |
| github.com | fleetdm_fleet | >= 4.77.0 < 4.77.1 | 4.77.1 |
| github.com | fleetdm_fleet | >= 4.78.0 < 4.78.3 | 4.78.3 |
| github.com | fleetdm_fleet_v4 | >= 4.75.0 < 4.75.2 | 4.75.2 |
| github.com | fleetdm_fleet_v4 | >= 4.76.0 < 4.76.2 | 4.76.2 |
| github.com | fleetdm_fleet_v4 | >= 4.77.0 < 4.77.1 | 4.77.1 |
| github.com | fleetdm_fleet_v4 | >= 4.78.0 < 4.78.3 | 4.78.3 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Fleet has a JWT signature bypass vulnerability in Azure AD MDM enrollment in github.com/fleetdm/fleet
osv·2026-02-03
CVE-2026-23518 Fleet has a JWT signature bypass vulnerability in Azure AD MDM enrollment in github.com/fleetdm/fleet
Fleet has a JWT signature bypass vulnerability in Azure AD MDM enrollment in github.com/fleetdm/fleet
Fleet has a JWT signature bypass vulnerability in Azure AD MDM enrollment in github.com/fleetdm/fleet
GHSA
Fleet has a JWT signature bypass vulnerability in Azure AD MDM enrollment
ghsa·2026-01-20
CVE-2026-23518 [CRITICAL] CWE-347 Fleet has a JWT signature bypass vulnerability in Azure AD MDM enrollment
Fleet has a JWT signature bypass vulnerability in Azure AD MDM enrollment
### Summary
A vulnerability in Fleet’s Windows MDM enrollment flow could allow an attacker to submit forged authentication tokens that are not properly validated. Because JWT signatures were not verified, Fleet could accept attacker-controlled identity claims, enabling enrollment of unauthorized devices under arbitrary Azure AD user identities.
### Impact
If Windows MDM is enabled, an attacker can enroll rogue devices by submitting a forged JWT containing arbitrary identity claims. Due to missing JWT signature verification, Fleet accepts these claims without validating that the token was issued by Azure AD, allowing enrollment under any Azure AD user identity.
### Patches
- 4.78.3
- 4.77.1
- 4.76.2
- 4.75.2
- 4
OSV
Fleet has a JWT signature bypass vulnerability in Azure AD MDM enrollment
osv·2026-01-20
CVE-2026-23518 [CRITICAL] Fleet has a JWT signature bypass vulnerability in Azure AD MDM enrollment
Fleet has a JWT signature bypass vulnerability in Azure AD MDM enrollment
### Summary
A vulnerability in Fleet’s Windows MDM enrollment flow could allow an attacker to submit forged authentication tokens that are not properly validated. Because JWT signatures were not verified, Fleet could accept attacker-controlled identity claims, enabling enrollment of unauthorized devices under arbitrary Azure AD user identities.
### Impact
If Windows MDM is enabled, an attacker can enroll rogue devices by submitting a forged JWT containing arbitrary identity claims. Due to missing JWT signature verification, Fleet accepts these claims without validating that the token was issued by Azure AD, allowing enrollment under any Azure AD user identity.
### Patches
- 4.78.3
- 4.77.1
- 4.76.2
- 4.75.2
- 4
No detection rules found.
No public exploits indexed.
2026-01-21
Published