71 matches found
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the upload endpoint. An attacker can exhaust system memory by submitting specially crafted requests, potentially causing the service to become unavailable. Remediation Upgrade...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the upload endpoint. An attacker can exhaust system memory by submitting specially crafted requests, potentially causing the service to become unavailable. Remediation Upgrade...
Allocation of Resources Without Limits or Throttling
Overview github.com/elastic/fleet-server/internal/pkg/api is a control server to manage a fleet of elastic-agents. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the upload endpoint. An attacker can exhaust system memory by submitting...
Allocation of Resources Without Limits or Throttling
Overview github.com/elastic/fleet-server/v7/internal/pkg/api is a control server to manage a fleet of elastic-agents. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the upload endpoint. An attacker can exhaust system memory by submitti...
CVE-2026-56150
Allocation of Resources Without Limits or Throttling CWE-770 in Fleet Server can lead to a denial of service via Excessive Allocation CAPEC-130. An attacker can submit a specially crafted request to an upload endpoint that causes excessive memory consumption, which may render Fleet Server...
CVE-2026-56150
Allocation of Resources Without Limits or Throttling CWE-770 in Fleet Server can lead to a denial of service via Excessive Allocation CAPEC-130. An attacker can submit a specially crafted request to an upload endpoint that causes excessive memory consumption, which may render Fleet Server...
CVE-2026-56150
MODE C: CVE-2026-56150 affects Elastic Fleet Server via Allocation of Resources Without Limits or Throttling (upload endpoint memory exhaustion). Multiple connected sources describe the vulnerability in Fleet Server's internal API packages and uploader, enabling an attacker to exhaust RAM and pot...
CVE-2026-56150 Allocation of Resources Without Limits or Throttling in Fleet Server Leading to Denial of Service
Allocation of Resources Without Limits or Throttling CWE-770 in Fleet Server can lead to a denial of service via Excessive Allocation CAPEC-130. An attacker can submit a specially crafted request to an upload endpoint that causes excessive memory consumption, which may render Fleet Server...
EUVD-2026-41077
Allocation of Resources Without Limits or Throttling CWE-770 in Fleet Server can lead to a denial of service via Excessive Allocation CAPEC-130. An attacker can submit a specially crafted request to an upload endpoint that causes excessive memory consumption, which may render Fleet Server...
GHSA-MQQF-5WVP-8FH8 vulnerabilities
Vulnerabilities for packages: aws-lambda-runtime-interface-emulator, custom-pod-autoscaler, fleet-server-fips, kyverno-fips, cloudbeat-fips, custom-pod-autoscaler-fips, cloudbeat, commercial-kyverno, aws-lambda-runtime-interface-emulator-fips...
CVE-2025-69725 vulnerabilities
Vulnerabilities for packages: aws-lambda-runtime-interface-emulator, custom-pod-autoscaler, fleet-server-fips, kyverno-fips, cloudbeat-fips, custom-pod-autoscaler-fips, cloudbeat, commercial-kyverno, aws-lambda-runtime-interface-emulator-fips...
Improper Authentication
Overview Affected versions of this package are vulnerable to Improper Authentication via the windowsMDMManagement endpoint. An attacker can gain unauthorized access to management functionality by bypassing authentication mechanisms. Remediation Upgrade github.com/fleetdm/fleet/server/service to...
Improper Authentication
Overview Affected versions of this package are vulnerable to Improper Authentication via the windowsMDMManagement endpoint. An attacker can gain unauthorized access to management functionality by bypassing authentication mechanisms. Remediation Upgrade github.com/fleetdm/fleet/server/mock to...
User Impersonation
Overview Affected versions of this package are vulnerable to User Impersonation due to the reliance on client-supplied IP address headers such as X-Forwarded-For, X-Real-IP, and True-Client-IP. An attacker can circumvent per-IP rate limiting by supplying arbitrary values in these headers, causing...
CVE-2026-26062
CVE-2026-26062 affects Fleet before version 4.81.0, where the gRPC Launcher PublishLogs endpoint could terminate the Fleet server when handling certain inputs. An authenticated attacker with access to an enrolled Launcher node key could trigger an immediate DoS by sending a single gRPC request, i...
EUVD-2026-30375
Fleet is open source device management software. Prior to version 4.81.0, Fleet contained a denial-of-service DoS issue in the gRPC Launcher PublishLogs endpoint. In affected versions, certain unexpected input values were not handled gracefully, which could cause the Fleet server process to...
GHSA-X67P-9M2R-FXQV Fleet server may terminate unexpectedly when handling certain gRPC requests
Summary Fleet contained a denial-of-service DoS issue in the gRPC Launcher PublishLogs endpoint. In affected versions, certain unexpected input values were not handled gracefully, which could cause the Fleet server process to terminate while processing an authenticated request from an enrolled...
PT-2026-40970
Name of the Vulnerable Software and Affected Versions Fleet versions prior to 4.81.0 Description A denial-of-service DoS issue exists in the gRPC Launcher "PublishLogs" endpoint. Certain unexpected input values are not handled gracefully, which can cause the server process to terminate while...
CVE-2026-29181 vulnerabilities
Vulnerabilities for packages: cluster-api-provider-vsphere, gitlab-kas-fips, crossplane-provider-aws-kafka, crossplane-provider-aws-cloudwatchevents, crossplane-provider-azure-resources, crossplane-provider-aws-kafka-fips, crossplane-provider-aws-cloudwatchlogs, commercial-grafana, emissary,...
GHSA-MH2Q-Q3FH-2475 vulnerabilities
Vulnerabilities for packages: cluster-api-provider-vsphere, gitlab-kas-fips, crossplane-provider-aws-kafka, crossplane-provider-aws-cloudwatchevents, crossplane-provider-azure-resources, crossplane-provider-aws-kafka-fips, crossplane-provider-aws-cloudwatchlogs, commercial-grafana, emissary,...