Fleetdm Fleet vulnerabilities
29 known vulnerabilities affecting fleetdm/fleet.
Total CVEs
29
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL5HIGH14MEDIUM9LOW1
Vulnerabilities
Page 2 of 2
CVE-2026-34389P3MEDIUMCVSS 6.5fixed in 4.81.1fixed in 4.81.02026-03-27
CVE-2026-34389 [MEDIUM] CWE-287 CVE-2026-34389: Fleet is open source device management software. Prior to 4.81.0, Fleet contained an issue in the us
Fleet is open source device management software. Prior to 4.81.0, Fleet contained an issue in the user invitation flow where the email address provided during invite acceptance was not validated against the email address associated with the invite. An attacker who obtained a valid invite token could create an account under an arbitrary email address
nvd
CVE-2026-25963P3MEDIUMCVSS 6.5fixed in 4.80.12026-02-26
CVE-2026-25963 [MEDIUM] CWE-863 CVE-2026-25963: Fleet is open source device management software. In versions prior to 4.80.1, a broken authorization
Fleet is open source device management software. In versions prior to 4.80.1, a broken authorization check in Fleet’s certificate template deletion API could allow a team administrator to delete certificate templates belonging to other teams within the same Fleet instance. Fleet supports certificate templates that are scoped to individual teams. In
nvd
CVE-2026-24000P3MEDIUMCVSS 5.3fixed in 4.80.12026-05-14
CVE-2026-24000 [MEDIUM] CWE-290 CVE-2026-24000: Fleet is open source device management software. Prior to version 4.80.1, Fleet trusted client-suppl
Fleet is open source device management software. Prior to version 4.80.1, Fleet trusted client-supplied IP address headers when determining the source IP for incoming requests. This allowed authenticated and unauthenticated clients to spoof their apparent IP address and bypass per-IP rate limiting controls. Fleet determines a client’s public IP addr
nvd
CVE-2026-26062P3MEDIUMCVSS 6.5fixed in 4.81.02026-05-14
CVE-2026-26062 [MEDIUM] CWE-20 CVE-2026-26062: Fleet is open source device management software. Prior to version 4.81.0, Fleet contained a denial-o
Fleet is open source device management software. Prior to version 4.81.0, Fleet contained a denial-of-service (DoS) issue in the gRPC Launcher `PublishLogs` endpoint. In affected versions, certain unexpected input values were not handled gracefully, which could cause the Fleet server process to terminate while processing an authenticated request from
nvd
CVE-2022-23600P3MEDIUMCVSS 6.5fixed in 4.9.12022-02-04
CVE-2022-23600 [MEDIUM] CWE-287 CVE-2022-23600: fleet is an open source device management, built on osquery. Versions prior to 4.9.1 expose a limite
fleet is an open source device management, built on osquery. Versions prior to 4.9.1 expose a limited ability to spoof SAML authentication with missing audience verification. This impacts deployments using SAML SSO in two specific cases: 1. A malicious or compromised Service Provider (SP) could reuse the SAML response to log into Fleet as a user --
nvd
CVE-2026-24004P3MEDIUMCVSS 5.3fixed in 4.80.12026-02-26
CVE-2026-24004 [MEDIUM] CWE-862 CVE-2026-24004: Fleet is open source device management software. In versions prior to 4.80.1, a vulnerability in Fle
Fleet is open source device management software. In versions prior to 4.80.1, a vulnerability in Fleet’s Android MDM Pub/Sub handling could allow unauthenticated requests to trigger device unenrollment events. This may result in unauthorized removal of individual Android devices from Fleet management. If Android MDM is enabled, an attacker could sen
nvd
CVE-2026-22808P3MEDIUMCVSS 5.4fixed in 4.53.3≥ 4.75.0, < 4.75.2+6 more2026-01-21
CVE-2026-22808 [MEDIUM] CWE-79 CVE-2026-22808: fleetdm/fleet is open source device management software. Prior to versions 4.78.2, 4.77.1, 4.76.2, 4
fleetdm/fleet is open source device management software. Prior to versions 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, if Windows MDM is enabled, an unauthenticated attacker can exploit this XSS vulnerability to steal a Fleet administrator's authentication token (FLEET::auth_token) from localStorage. This could allow unauthorized access to Fleet, inc
nvd
CVE-2026-23999P4MEDIUMCVSS 5.5fixed in 4.80.12026-02-26
CVE-2026-23999 [MEDIUM] CWE-330 CVE-2026-23999: Fleet is open source device management software. In versions prior to 4.80.1, Fleet generated device
Fleet is open source device management software. In versions prior to 4.80.1, Fleet generated device lock and wipe PINs using a predictable algorithm based solely on the current Unix timestamp. Because no secret key or additional entropy was used, the resulting PIN could potentially be derived if the approximate time the device was locked is known.
nvd
CVE-2021-21296P4LOWCVSS 2.7fixed in 3.7.02021-02-10
CVE-2021-21296 [LOW] CWE-400 CVE-2021-21296: Fleet is an open source osquery manager. In Fleet before version 3.7.0 a malicious actor with a vali
Fleet is an open source osquery manager. In Fleet before version 3.7.0 a malicious actor with a valid node key can send a badly formatted request that causes the Fleet server to exit, resulting in denial of service. This is possible only while a live query is currently ongoing. We believe the impact of this vulnerability to be low given the requirement
nvd
← Previous2 / 2