cbcvebase.

Github.Com Fleetdm Fleet V4 vulnerabilities

28 known vulnerabilities affecting github.com/fleetdm_fleet_v4.

Total CVEs
28
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH8MEDIUM18UNKNOWN1

Vulnerabilities

Page 1 of 2
CVE-2026-23518P2UNKNOWN≥ 4.75.0, < 4.75.2≥ 4.76.0, < 4.76.2+2 more2026-02-03
CVE-2026-23518 Fleet has a JWT signature bypass vulnerability in Azure AD MDM enrollment in github.com/fleetdm/fleet Fleet has a JWT signature bypass vulnerability in Azure AD MDM enrollment in github.com/fleetdm/fleet Fleet has a JWT signature bypass vulnerability in Azure AD MDM enrollment in github.com/fleetdm/fleet
osv
CVE-2026-26191P2MEDIUM≥ 0, < 4.81.12026-05-14
CVE-2026-26191 [MEDIUM] CWE-78 Fleet vulnerable to OS command injection in software packages Fleet vulnerable to OS command injection in software packages ### Summary A vulnerability in Fleet's software installer pipeline could allow a crafted software package to execute arbitrary commands as root (macOS/Linux) or SYSTEM (Windows) on managed endpoints when an uninstall is triggered. ### Impact When a software package (.pkg, .deb, .rpm, .exe, or .msi) is uploaded to Fleet, metadata is extract
ghsa
CVE-2026-29180P2MEDIUM≥ 0, < 4.81.12026-03-27
CVE-2026-29180 [MEDIUM] CWE-862 A Fleet team maintainer can transfer hosts from any team via missing source team authorization A Fleet team maintainer can transfer hosts from any team via missing source team authorization ### Summary A broken access control vulnerability in Fleet's host transfer API allows a team maintainer to transfer hosts from any team into their own team, bypassing team isolation boundaries. Once transferred, the attacker gains full control over the stolen hosts, including
ghsaosv
CVE-2026-26060P3MEDIUM≥ 0, < 4.43.5-0.20260113202849-bbc1aef2987d2026-03-27
CVE-2026-26060 [MEDIUM] CWE-613 Fleet: Password reset tokens remain valid after password change for 24 hours Fleet: Password reset tokens remain valid after password change for 24 hours ### Summary A vulnerability in Fleet’s password management logic could allow previously issued password reset tokens to remain valid after a user changes their password. As a result, a stale password reset token could be reused to reset the account password even after a defensive password change. ### Impact I
ghsaosv
CVE-2026-26186P3MEDIUM≥ 0, < 4.80.12026-02-26
CVE-2026-26186 [MEDIUM] CWE-89 Fleet has an SQL Injection vulnerability via backtick escape in ORDER BY parameter Fleet has an SQL Injection vulnerability via backtick escape in ORDER BY parameter ### Summary A SQL Injection vulnerability in Fleet’s software versions API allowed authenticated users to inject arbitrary SQL expressions via the `order_key` query parameter. Due to unsafe use of `goqu.I()` when constructing the `ORDER BY` clause, specially crafted input could escape identifier quot
ghsaosv
CVE-2026-34386P3MEDIUM≥ 0, < 4.81.02026-03-30
CVE-2026-34386 [MEDIUM] CWE-89 Fleet vulnerable to SQL Injection in MDM bootstrap package by authenticated team or global admin Fleet vulnerable to SQL Injection in MDM bootstrap package by authenticated team or global admin ### Summary A SQL Injection vulnerability in Fleet's MDM bootstrap package configuration allows an authenticated user with Team Admin or Global Admin privileges to modify arbitrary team configurations, exfiltrate sensitive data from the Fleet database, and inject arbitrary
ghsaosv
CVE-2025-27509P3CRITICAL≥ 4.64.0, < 4.64.2≥ 4.63.0, < 4.63.2+3 more2025-03-06
CVE-2025-27509 [CRITICAL] CWE-285 Fleet has SAML authentication vulnerability due to improper SAML response validation Fleet has SAML authentication vulnerability due to improper SAML response validation ### Summary A vulnerability in Fleet’s SAML authentication handling could allow an attacker to forge authentication assertions and gain unauthorized access to Fleet. In certain configurations, this could result in the creation of new user accounts, including administrative accounts. This issue
ghsaosv
CVE-2020-26276P3HIGH≥ 0, < 3.5.12022-02-11
CVE-2020-26276 [HIGH] CWE-290 SAML authentication vulnerability due to stdlib XML parsing SAML authentication vulnerability due to stdlib XML parsing ### Impact Due to issues in Go's standard library XML parsing, a valid SAML response may be mutated by an attacker to modify the trusted document. This can result in allowing unverified logins from a SAML IdP. Users that configure Fleet with SSO login may be vulnerable to this issue. ### Patches This issue is patched in 3.5.1 using https://githu
ghsaosv
CVE-2026-34385P3MEDIUM≥ 0, < 4.81.02026-03-30
CVE-2026-34385 [MEDIUM] CWE-89 Fleet's Apple MDM profile delivery has second-order SQL Injection that can compromise the database Fleet's Apple MDM profile delivery has second-order SQL Injection that can compromise the database ### Summary A critical second-order SQL Injection vulnerability in Fleet's Apple MDM profile delivery pipeline could allow an attacker with a valid MDM enrollment certificate to exfiltrate or modify the contents of the Fleet database, including user credentials, API to
ghsaosv
CVE-2026-24899P3HIGH≥ 0, < 4.82.02026-05-14
CVE-2026-24899 [HIGH] CWE-290 Fleet Windows MDM Azure AD JWT Authentication Bypass Fleet Windows MDM Azure AD JWT Authentication Bypass ### Summary A vulnerability in Fleet's Windows MDM enrollment flow allows authentication tokens from any Azure AD tenant to be accepted. Because Fleet validates JWT signatures using Microsoft's multi-tenant JWKS endpoint but does not enforce the `aud` (audience) or `iss` (issuer) claims, any Microsoft-signed Azure AD access token containing the expected scopes
ghsa
CVE-2026-46356P3MEDIUM≥ 0, < 4.80.12026-05-14
CVE-2026-46356 [MEDIUM] CWE-290 Fleet: IP spoofing allows bypassing API rate limiting Fleet: IP spoofing allows bypassing API rate limiting ### Summary A vulnerability in Fleet's IP extraction logic allows unauthenticated attackers to bypass API rate limiting by spoofing client IP headers. This may allow brute-force login attempts or other abuse against Fleet instances exposed to the public internet. ### Impact Fleet extracted client IP addresses from request headers (`True-Client-IP`, `X-Real
ghsa
CVE-2026-23517P3HIGH≥ 0, < 4.78.3-0.20260112221730-5c030e32a3a92026-01-20
CVE-2026-23517 [HIGH] CWE-862 Fleet has an Access Control vulnerability in debug/pprof endpoints Fleet has an Access Control vulnerability in debug/pprof endpoints ### Summary A broken access control issue in Fleet allowed authenticated users to access debug and profiling endpoints regardless of role. As a result, low-privilege users could view internal server diagnostics and trigger resource-intensive profiling operations. ### Impact Fleet’s debug/pprof endpoints are accessible to any authe
ghsaosv
CVE-2026-23998P3HIGH≥ 0, < 4.81.02026-05-14
CVE-2026-23998 [HIGH] CWE-295 Fleet has a Windows MDM management endpoint authentication bypass Fleet has a Windows MDM management endpoint authentication bypass ### Summary A vulnerability in Fleet’s Windows MDM management endpoint could allow requests to be processed without proper client certificate validation. In certain circumstances, this could allow an attacker to impersonate an enrolled Windows device and retrieve sensitive configuration data. ### Impact Fleet’s Windows MDM managemen
ghsa
CVE-2026-26061P3HIGH≥ 0, < 4.43.5-0.20260113202849-bbc1aef2987d2026-03-27
CVE-2026-26061 [HIGH] CWE-770 Fleet's unbounded request body read allows remote Denial of Service Fleet's unbounded request body read allows remote Denial of Service ### Summary Fleet contained multiple unauthenticated HTTP endpoints that read request bodies without enforcing a size limit. An unauthenticated attacker could exploit this behavior by sending large or repeated HTTP payloads, causing excessive memory allocation and resulting in a denial-of-service (DoS) condition. ### Impact An u
ghsaosv
CVE-2026-27806P3HIGH≥ 0, < 4.81.12026-04-08
CVE-2026-27806 [HIGH] CWE-78 Fleet Affected by Local Privilege Escalation via Tcl Command Injection in Orbit Fleet Affected by Local Privilege Escalation via Tcl Command Injection in Orbit ## Summary The Orbit agent's FileVault disk encryption key rotation flow on collects a local user's password via a GUI dialog and interpolates it directly into a Tcl/expect script executed via `exec.Command("expect", "-c", script)`. Because the password is inserted into Tcl brace-quoted `send {%s}`, a passwo
ghsaosv
CVE-2026-27465P3HIGH≥ 0, < 4.80.12026-02-26
CVE-2026-27465 [HIGH] CWE-200 Fleet: Sensitive Google Calendar credentials disclosed to low-privileged users Fleet: Sensitive Google Calendar credentials disclosed to low-privileged users ### Summary A vulnerability in Fleet’s configuration API could expose Google Calendar service account credentials to authenticated users with low-privilege roles. This may allow unauthorized access to Google Calendar resources associated with the service account. ### Impact Fleet returns configuration data
ghsaosv
CVE-2026-34388P3MEDIUM≥ 0, < 4.81.02026-03-30
CVE-2026-34388 [MEDIUM] CWE-703 Fleet vulnerable to Denial of Service via unhandled gRPC log type in launcher endpoint Fleet vulnerable to Denial of Service via unhandled gRPC log type in launcher endpoint ### Summary A Denial of Service vulnerability in Fleet's gRPC Launcher endpoint allows an authenticated host to crash the entire Fleet server process by sending an unexpected log type value. The server terminates immediately, disrupting all connected hosts, MDM enrollments, and API consumers
ghsaosv
CVE-2026-34389P3MEDIUM≥ 0, < 4.81.02026-03-30
CVE-2026-34389 [MEDIUM] CWE-287 Fleet's user account creation via invite does not enforce invited email address Fleet's user account creation via invite does not enforce invited email address ### Summary Fleet contained an issue in the user invitation flow where the email address provided during invite acceptance was not validated against the email address associated with the invite. An attacker who obtained a valid invite token could create an account under an arbitrary email address while in
ghsaosv
CVE-2026-24000P3MEDIUM≥ 0, < 4.80.12026-05-14
CVE-2026-24000 [MEDIUM] CWE-290 Fleet has a rate limiting bypass via untrusted client IP headers Fleet has a rate limiting bypass via untrusted client IP headers ### Impact Fleet trusted client-supplied IP address headers when determining the source IP for incoming requests. This allowed authenticated and unauthenticated clients to spoof their apparent IP address and bypass per-IP rate limiting controls. Fleet determines a client’s public IP address using HTTP headers such as: - X-Forwarded-F
ghsa
CVE-2026-25963P3MEDIUM≥ 0, < 4.80.12026-02-26
CVE-2026-25963 [MEDIUM] CWE-863 Fleet: Authorization Bypass in certificate template batch deletion for team administrators Fleet: Authorization Bypass in certificate template batch deletion for team administrators ### Summary A broken authorization check in Fleet’s certificate template deletion API could allow a team administrator to delete certificate templates belonging to other teams within the same Fleet instance. ### Impact Fleet supports certificate templates that are scoped to individ
ghsaosv
Github.Com Fleetdm Fleet V4 vulnerabilities | cvebase