cbcvebase.
CVE-2026-46371
published 2026-06-12

CVE-2026-46371: Fleet: Observer-level enrollment secret extraction via ORDER BY oracle on Apple MDM commands endpoint ### Summary A vulnerability in Fleet's Apple MDM commands…

medium
Fleet: Observer-level enrollment secret extraction via ORDER BY oracle on Apple MDM commands endpoint

### Summary

A vulnerability in Fleet's Apple MDM commands listing endpoint allowed authenticated users with the lowest-privilege Observer role to extract sensitive values from joined database tables — including host enrollment secrets and Apple Push Notification Service (APNS) tokens — through a cursor-based binary search oracle. The endpoint accepted a user-supplied `order_key` parameter that was not validated against a column allowlist.

### Impact

The `GET /api/v1/fleet/mdm/apple/commands` endpoint constructs its query using a deprecated helper that did not restrict which columns could appear in the `ORDER BY` clause. The underlying query joins the `hosts` and `nano_enrollments` tables, so any column on those tables could be supplied as `order_key`. An attacker with Observer credentials could then use the cursor-based pagination parameter (`after`) to binary-search the value of the chosen column one character at a time. The targeted values never appeared in the response body, but the presence or absence of results revealed each character.

With extracted `node_key` or `orbit_node_key` values, an attacker could impersonate enrolled hosts to Fleet's osquery and Orbit endpoints, submit fabricated host data, and retrieve pending scripts and commands. The APNS values are exploitable only by a party that also possesses the organization's APNS certificate.

Exploitation required authenticated Observer access and a Fleet deployment with Apple MDM enabled and at least one queued MDM command. Instances without Apple MDM configured were not affected.

### Workarounds

If an immediate upgrade is not possible, administrators should:

- Restrict the Observer role to fully trusted users until the patch is applied
- Rotate `node_key` and `orbit_node_key` for any host suspected of exposure by re-enrolling the affected hosts

### For more information

If there are any questions

Affected

1 ranges
VendorProductVersion rangeFixed in
github.comfleetdm_fleet_v4>= 0 < 4.84.24.84.2
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.