CVE-2026-26060
published 2026-03-27CVE-2026-26060: Fleet is open source device management software. Prior to 4.81.0, a vulnerability in Fleet’s password management logic could allow previously issued password…
PriorityP359high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.34%
25.3th percentile
Fleet is open source device management software. Prior to 4.81.0, a vulnerability in Fleet’s password management logic could allow previously issued password reset tokens to remain valid after a user changes their password. As a result, a stale password reset token could be reused to reset the account password even after a defensive password change. Version 4.81.0 patches the issue.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fleetdm | fleet | < 4.81.0 | 4.81.0 |
| github.com | fleetdm_fleet_v4 | >= 0 < 4.43.5-0.20260113202849-bbc1aef2987d | 4.43.5-0.20260113202849-bbc1aef2987d |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.06.0MEDIUMCVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Fleet: Password reset tokens remain valid after password change for 24 hours in github.com/fleetdm/fleet
osv·2026-04-02
CVE-2026-26060 Fleet: Password reset tokens remain valid after password change for 24 hours in github.com/fleetdm/fleet
Fleet: Password reset tokens remain valid after password change for 24 hours in github.com/fleetdm/fleet
Fleet: Password reset tokens remain valid after password change for 24 hours in github.com/fleetdm/fleet.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/fleetdm/fleet/v4 before v4.43.5-0.20260113202849-bbc1aef2987d.
OSV
Fleet: Password reset tokens remain valid after password change for 24 hours
osv·2026-03-27
CVE-2026-26060 [MEDIUM] Fleet: Password reset tokens remain valid after password change for 24 hours
Fleet: Password reset tokens remain valid after password change for 24 hours
### Summary
A vulnerability in Fleet’s password management logic could allow previously issued password reset tokens to remain valid after a user changes their password. As a result, a stale password reset token could be reused to reset the account password even after a defensive password change.
### Impact
If an attacker had prior access to a valid password reset token, they could reuse that token within its validity window to reset the user’s password after the user has already changed it. This could result in temporary account takeover.
Exploitation requires prior compromise of a password reset token and is further constrained by the token’s 24-hour expiration period. The issue does not allow discovery of
GHSA
Fleet: Password reset tokens remain valid after password change for 24 hours
ghsa·2026-03-27
CVE-2026-26060 [MEDIUM] CWE-613 Fleet: Password reset tokens remain valid after password change for 24 hours
Fleet: Password reset tokens remain valid after password change for 24 hours
### Summary
A vulnerability in Fleet’s password management logic could allow previously issued password reset tokens to remain valid after a user changes their password. As a result, a stale password reset token could be reused to reset the account password even after a defensive password change.
### Impact
If an attacker had prior access to a valid password reset token, they could reuse that token within its validity window to reset the user’s password after the user has already changed it. This could result in temporary account takeover.
Exploitation requires prior compromise of a password reset token and is further constrained by the token’s 24-hour expiration period. The issue does not allow discovery of
No detection rules found.
No public exploits indexed.
2026-03-27
Published