71 matches found
PT-2026-32407
Incorrect Authorization CWE-863 in Kibana can lead to cross-space information disclosure via Privilege Abuse CAPEC-122. A user with Fleet agent management privileges in one Kibana space can retrieve Fleet Server policy details from other spaces through an internal enrollment endpoint. The endpoin...
CVE-2026-32283 vulnerabilities
Vulnerabilities for packages: kpt, mailpit, mariadb-operator-fips, cilium, sbomqs, prometheus-elasticsearch-exporter, secrets-store-csi-driver-provider-azure, terraform-provider-databricks-fips, xeol-fips, esbuild-fips, cert-manager-istio-csr-fips, crossplane-provider-gitlab, blob-csi,...
Incorrect Authorization
Overview kibana is an open source Apache Licensed, browser-based analytics and search dashboard for Elasticsearch. Affected versions of this package are vulnerable to Incorrect Authorization via the enrollment endpoint. An attacker can access Fleet Server policy details from unauthorized spaces b...
EUVD-2026-20523
Incorrect Authorization CWE-863 in Kibana can lead to cross-space information disclosure via Privilege Abuse CAPEC-122. A user with Fleet agent management privileges in one Kibana space can retrieve Fleet Server policy details from other spaces through an internal enrollment endpoint. The endpoin...
CVE-2026-33460
Incorrect Authorization CWE-863 in Kibana can lead to cross-space information disclosure via Privilege Abuse CAPEC-122. A user with Fleet agent management privileges in one Kibana space can retrieve Fleet Server policy details from other spaces through an internal enrollment endpoint. The endpoin...
CVE-2026-33460 Incorrect Authorization in Kibana Fleet Leading to Information Disclosure
Incorrect Authorization CWE-863 in Kibana can lead to cross-space information disclosure via Privilege Abuse CAPEC-122. A user with Fleet agent management privileges in one Kibana space can retrieve Fleet Server policy details from other spaces through an internal enrollment endpoint. The endpoin...
GHSA-W254-4HP5-7CVV Fleet vulnerable to Denial of Service via unhandled gRPC log type in launcher endpoint
Summary A Denial of Service vulnerability in Fleet's gRPC Launcher endpoint allows an authenticated host to crash the entire Fleet server process by sending an unexpected log type value. The server terminates immediately, disrupting all connected hosts, MDM enrollments, and API consumers. Impact ...
CVE-2026-34388
Fleet is open source device management software. Prior to 4.81.0, a denial-of-service vulnerability in Fleet's gRPC Launcher endpoint allows an authenticated host to crash the entire Fleet server process by sending an unexpected log type value. The server terminates immediately, disrupting all...
Fleet's unbounded request body read allows remote Denial of Service
Summary Fleet contained multiple unauthenticated HTTP endpoints that read request bodies without enforcing a size limit. An unauthenticated attacker could exploit this behavior by sending large or repeated HTTP payloads, causing excessive memory allocation and resulting in a denial-of-service DoS...
GHSA-8FJ7-8H3W-XWFM vulnerabilities
Vulnerabilities for packages: splunk-otel-collector, crossplane-provider-aws-cognitoidentity, grafana-alloy, apache-beam-python-3.12-sdk, traefik-fips, livekit-server-fips, kyverno-policy-reporter-fips, crossplane-provider-aws-dynamodb-fips, kube-logging-operator, crossplane-provider-aws-sqs,...
CVE-2026-27141 vulnerabilities
Vulnerabilities for packages: splunk-otel-collector, crossplane-provider-aws-cognitoidentity, grafana-alloy, apache-beam-python-3.12-sdk, traefik-fips, livekit-server-fips, kyverno-policy-reporter-fips, crossplane-provider-aws-dynamodb-fips, kube-logging-operator, crossplane-provider-aws-sqs,...
Improper Verification of Cryptographic Signature
Overview Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via the JWT verification process. An attacker can gain unauthorized enrollment of rogue devices by submitting a forged JWT with arbitrary identity claims, as the system fails to verify th...
EUVD-2021-24413
Malware in sbrugna...
EUVD-2024-46267
Malicious code in bioql PyPI...
EUVD-2023-50858
Malicious code in bioql PyPI...
Linux Distros Unpatched Vulnerability : CVE-2021-37937
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An issue was found with how API keys are created with the Fleet-Server service account. When an API key is created with a service account, it is possible that t...
The vulnerability of the server software for managing Elastic Agent agents, known as Elastic Fleet Server, stems from deficiencies in access control. This allows a malicious individual to disclose sensitive information that is protected by this system.
The vulnerability of the server software for managing Elastic Agent agents in Elastic Fleet Server is related to access control deficiencies. Exploiting this vulnerability could allow a malicious actor to disclose sensitive information...
CVE-2024-52975
An issue was identified in Fleet Server where Fleet policies that could contain sensitive information were logged on INFO and ERROR log levels. The nature of the sensitive information largely depends on the integrations enabled...
CVE-2024-52975 Fleet Server sensitive information exposure via logs
An issue was identified in Fleet Server where Fleet policies that could contain sensitive information were logged on INFO and ERROR log levels. The nature of the sensitive information largely depends on the integrations enabled...
CVE-2024-52975 Fleet Server sensitive information exposure via logs
An issue was identified in Fleet Server where Fleet policies that could contain sensitive information were logged on INFO and ERROR log levels. The nature of the sensitive information largely depends on the integrations enabled...