cbcvebase.

Fleetdm Fleet vulnerabilities

29 known vulnerabilities affecting fleetdm/fleet.

Total CVEs
29
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL5HIGH14MEDIUM9LOW1

Vulnerabilities

Page 1 of 2
CVE-2026-23518P2CRITICALCVSS 9.8fixed in 4.53.3≥ 4.75.0, < 4.75.2+7 more2026-01-21
CVE-2026-23518 [CRITICAL] CWE-347 CVE-2026-23518: Fleet is open source device management software. In versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2 Fleet is open source device management software. In versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, a vulnerability in Fleet's Windows MDM enrollment flow could allow an attacker to submit forged authentication tokens that are not properly validated. Because JWT signatures were not verified, Fleet could accept attacker-controlled ide
nvd
CVE-2026-34387P2CRITICALCVSS 9.8fixed in 4.81.12026-03-27
CVE-2026-34387 [CRITICAL] CWE-78 CVE-2026-34387: Fleet is open source device management software. Prior to 4.81.1, a command injection vulnerability Fleet is open source device management software. Prior to 4.81.1, a command injection vulnerability in Fleet's software installer pipeline allows an attacker to achieve arbitrary code execution as root (macOS/Linux) or SYSTEM (Windows) on managed hosts when an uninstall is triggered for a crafted software package. Version 4.81.1 patches the issue.
nvd
CVE-2026-26191P2CRITICALCVSS 9.8fixed in 4.81.0fixed in 4.81.12026-05-14
CVE-2026-26191 [CRITICAL] CWE-78 CVE-2026-26191: Fleet is open source device management software. Prior to version 4.81.0, a vulnerability in Fleet's Fleet is open source device management software. Prior to version 4.81.0, a vulnerability in Fleet's software installer pipeline could allow a crafted software package to execute arbitrary commands as root (macOS/Linux) or SYSTEM (Windows) on managed endpoints when an uninstall is triggered. When a software package (.pkg, .deb, .rpm, .exe, or .msi)
nvd
CVE-2026-29180P2HIGHCVSS 8.8fixed in 4.81.12026-03-27
CVE-2026-29180 [HIGH] CWE-862 CVE-2026-29180: Fleet is open source device management software. Prior to 4.81.1, a broken access control vulnerabil Fleet is open source device management software. Prior to 4.81.1, a broken access control vulnerability in Fleet's host transfer API allows a team maintainer to transfer hosts from any team into their own team, bypassing team isolation boundaries. Once transferred, the attacker gains full control over the stolen hosts, including the ability to execute
nvd
CVE-2026-26060P3HIGHCVSS 8.8fixed in 4.81.02026-03-27
CVE-2026-26060 [HIGH] CWE-613 CVE-2026-26060: Fleet is open source device management software. Prior to 4.81.0, a vulnerability in Fleet’s passwor Fleet is open source device management software. Prior to 4.81.0, a vulnerability in Fleet’s password management logic could allow previously issued password reset tokens to remain valid after a user changes their password. As a result, a stale password reset token could be reused to reset the account password even after a defensive password change. V
nvd
CVE-2026-26186P3HIGHCVSS 8.8fixed in 4.80.12026-02-26
CVE-2026-26186 [HIGH] CWE-89 CVE-2026-26186: Fleet is open source device management software. A SQL injection vulnerability in versions prior to Fleet is open source device management software. A SQL injection vulnerability in versions prior to 4.80.1 allowed authenticated users to inject arbitrary SQL expressions via the `order_key` query parameter. Due to unsafe use of `goqu.I()` when constructing the `ORDER BY` clause, specially crafted input could escape identifier quoting and be interpreted
nvd
CVE-2026-34386P3HIGHCVSS 8.8fixed in 4.81.02026-03-27
CVE-2026-34386 [HIGH] CWE-89 CVE-2026-34386: Fleet is open source device management software. Prior to 4.81.0, a SQL injection vulnerability in F Fleet is open source device management software. Prior to 4.81.0, a SQL injection vulnerability in Fleet's MDM bootstrap package configuration allows an authenticated user with Team Admin or Global Admin privileges to modify arbitrary team configurations, exfiltrate sensitive data from the Fleet database, and inject arbitrary content into team configs
nvd
CVE-2025-27509P3CRITICALCVSS 9.3v>= 4.64.0, < 4.64.2v>= 4.63.0, < 4.63.2+2 more2025-03-06
CVE-2025-27509 [CRITICAL] CWE-285 CVE-2025-27509: fleetdm/fleet is an open source device management, built on osquery. In vulnerable versions of Fleet fleetdm/fleet is an open source device management, built on osquery. In vulnerable versions of Fleet, an attacker could craft a specially-formed SAML response to forge authentication assertions, provision a new administrative user account if Just-In-Time (JIT) provisioning is enabled, or create new accounts tied to forged assertions if f MDM enrol
nvd
CVE-2020-26276P3CRITICALCVSS 9.8fixed in 3.5.12020-12-17
CVE-2020-26276 [CRITICAL] CWE-290 CVE-2020-26276: Fleet is an open source osquery manager. In Fleet before version 3.5.1, due to issues in Go's standa Fleet is an open source osquery manager. In Fleet before version 3.5.1, due to issues in Go's standard library XML parsing, a valid SAML response may be mutated by an attacker to modify the trusted document. This can result in allowing unverified logins from a SAML IdP. Users that configure Fleet with SSO login may be vulnerable to this issue. Thi
nvd
CVE-2026-34385P3HIGHCVSS 8.1fixed in 4.81.02026-03-27
CVE-2026-34385 [HIGH] CWE-89 CVE-2026-34385: Fleet is open source device management software. Prior to 4.81.0, a second-order SQL injection vulne Fleet is open source device management software. Prior to 4.81.0, a second-order SQL injection vulnerability in Fleet's Apple MDM profile delivery pipeline could allow an attacker with a valid MDM enrollment certificate to exfiltrate or modify the contents of the Fleet database, including user credentials, API tokens, and device enrollment secrets. Ver
nvd
CVE-2026-24899P3HIGHCVSS 7.5fixed in 4.82.02026-05-14
CVE-2026-24899 [HIGH] CWE-290 CVE-2026-24899: Fleet is open source device management software. Prior to version 4.82.0, a vulnerability in Fleet's Fleet is open source device management software. Prior to version 4.82.0, a vulnerability in Fleet's Windows MDM enrollment flow allows authentication tokens from any Azure AD tenant to be accepted. Because Fleet validates JWT signatures using Microsoft's multi-tenant JWKS endpoint but does not enforce the `aud` (audience) or `iss` (issuer) claims, an
nvd
CVE-2026-46356P3HIGHCVSS 7.5fixed in 4.80.12026-05-14
CVE-2026-46356 [HIGH] CWE-290 CVE-2026-46356: Fleet is open source device management software. Prior to version 4.80.1, a vulnerability in Fleet's Fleet is open source device management software. Prior to version 4.80.1, a vulnerability in Fleet's IP extraction logic allows unauthenticated attackers to bypass API rate limiting by spoofing client IP headers. This may allow brute-force login attempts or other abuse against Fleet instances exposed to the public internet. Fleet extracted client IP a
nvd
CVE-2026-23517P3HIGHCVSS 8.1fixed in 4.53.3≥ 4.75.0, < 4.75.2+7 more2026-01-21
CVE-2026-23517 [HIGH] CWE-862 CVE-2026-23517: Fleet is open source device management software. A broken access control issue in versions prior to Fleet is open source device management software. A broken access control issue in versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 allowed authenticated users to access debug and profiling endpoints regardless of role. As a result, low-privilege users could view internal server diagnostics and trigger resource-intensive profiling operations
nvd
CVE-2022-24841P3HIGHCVSS 8.1fixed in 4.132022-04-18
CVE-2022-24841 [HIGH] CWE-284 CVE-2022-24841: fleetdm/fleet is an open source device management, built on osquery. All versions of fleet making us fleetdm/fleet is an open source device management, built on osquery. All versions of fleet making use of the teams feature are affected by this authorization bypass issue. Fleet instances without teams, or with teams but without restricted team accounts are not affected. In affected versions a team admin can erroneously add themselves as admin, mainta
nvd
CVE-2026-23998P3HIGHCVSS 7.5fixed in 4.81.02026-05-14
CVE-2026-23998 [HIGH] CWE-295 CVE-2026-23998: Fleet is open source device management software. Prior to version 4.81.0, a vulnerability in Fleet’s Fleet is open source device management software. Prior to version 4.81.0, a vulnerability in Fleet’s Windows MDM management endpoint could allow requests to be processed without proper client certificate validation. In certain circumstances, this could allow an attacker to impersonate an enrolled Windows device and retrieve sensitive configuration dat
nvd
CVE-2026-34391P3HIGHCVSS 7.5fixed in 4.81.12026-03-27
CVE-2026-34391 [HIGH] CWE-488 CVE-2026-34391: Fleet is open source device management software. Prior to 4.81.1, a vulnerability in Fleet's Windows Fleet is open source device management software. Prior to 4.81.1, a vulnerability in Fleet's Windows MDM command processing allows a malicious enrolled device to access MDM commands intended for other devices, potentially exposing sensitive configuration data such as WiFi credentials, VPN secrets, and certificate payloads across the entire Windows fle
nvd
CVE-2026-26061P3HIGHCVSS 7.5fixed in 4.81.02026-03-27
CVE-2026-26061 [HIGH] CWE-770 CVE-2026-26061: Fleet is open source device management software. Prior to 4.81.0, Fleet contained multiple unauthent Fleet is open source device management software. Prior to 4.81.0, Fleet contained multiple unauthenticated HTTP endpoints that read request bodies without enforcing a size limit. An unauthenticated attacker could exploit this behavior by sending large or repeated HTTP payloads, causing excessive memory allocation and resulting in a denial-of-service (
nvd
CVE-2026-27806P3HIGHCVSS 7.8fixed in 4.81.12026-04-08
CVE-2026-27806 [HIGH] CWE-78 CVE-2026-27806: Fleet is open source device management software. Prior to 4.81.1, the Orbit agent's FileVault disk e Fleet is open source device management software. Prior to 4.81.1, the Orbit agent's FileVault disk encryption key rotation flow on collects a local user's password via a GUI dialog and interpolates it directly into a Tcl/expect script executed via exec.Command("expect", "-c", script). Because the password is inserted into Tcl brace-quoted send {%s}, a
nvd
CVE-2026-27465P3MEDIUMCVSS 6.5fixed in 4.80.12026-02-26
CVE-2026-27465 [MEDIUM] CWE-201 CVE-2026-27465: Fleet is open source device management software. In versions prior to 4.80.1, a vulnerability in Fle Fleet is open source device management software. In versions prior to 4.80.1, a vulnerability in Fleet’s configuration API could expose Google Calendar service account credentials to authenticated users with low-privilege roles. This may allow unauthorized access to Google Calendar resources associated with the service account. Fleet returns configu
nvd
CVE-2026-34388P3HIGHCVSS 7.5fixed in 4.81.02026-03-27
CVE-2026-34388 [HIGH] CWE-703 CVE-2026-34388: Fleet is open source device management software. Prior to 4.81.0, a denial-of-service vulnerability Fleet is open source device management software. Prior to 4.81.0, a denial-of-service vulnerability in Fleet's gRPC Launcher endpoint allows an authenticated host to crash the entire Fleet server process by sending an unexpected log type value. The server terminates immediately, disrupting all connected hosts, MDM enrollments, and API consumers. Versio
nvd
Fleetdm Fleet vulnerabilities | cvebase