cbcvebase.
CVE-2026-23518
published 2026-01-21

CVE-2026-23518: Fleet is open source device management software. In versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, a vulnerability in Fleet's Windows MDM…

PriorityP271critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.23%
13.2th percentile
Fleet is open source device management software. In versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, a vulnerability in Fleet's Windows MDM enrollment flow could allow an attacker to submit forged authentication tokens that are not properly validated. Because JWT signatures were not verified, Fleet could accept attacker-controlled identity claims, enabling enrollment of unauthorized devices under arbitrary Azure AD user identities. Versions 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 fix the issue. If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM.

Affected

18 ranges
VendorProductVersion rangeFixed in
fleetdmfleet< 4.53.34.53.3
fleetdmfleet
fleetdmfleet
fleetdmfleet
fleetdmfleet
fleetdmfleet
fleetdmfleet>= 4.75.0 < 4.75.24.75.2
fleetdmfleet>= 4.76.0 < 4.76.24.76.2
fleetdmfleet>= 4.78.0 < 4.78.34.78.3
github.comfleetdm_fleet>= 0 < 4.43.5-0.20260112202845-e225ef57912c4.43.5-0.20260112202845-e225ef57912c
github.comfleetdm_fleet>= 4.75.0 < 4.75.24.75.2
github.comfleetdm_fleet>= 4.76.0 < 4.76.24.76.2
github.comfleetdm_fleet>= 4.77.0 < 4.77.14.77.1
github.comfleetdm_fleet>= 4.78.0 < 4.78.34.78.3
github.comfleetdm_fleet_v4>= 4.75.0 < 4.75.24.75.2
github.comfleetdm_fleet_v4>= 4.76.0 < 4.76.24.76.2
github.comfleetdm_fleet_v4>= 4.77.0 < 4.77.14.77.1
github.comfleetdm_fleet_v4>= 4.78.0 < 4.78.34.78.3

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.