26 matches found
GO-2026-5002 Windows MDM management endpoint authentication bypass in github.com/fleetdm/fleet/v4
Windows MDM management endpoint authentication bypass in github.com/fleetdm/fleet/v4...
Improper Authentication
Overview Affected versions of this package are vulnerable to Improper Authentication via the windowsMDMManagement endpoint. An attacker can gain unauthorized access to management functionality by bypassing authentication mechanisms. Remediation Upgrade...
GO-2026-4889 Fleet's unbounded request body read allows remote Denial of Service in github.com/fleetdm/fleet
Fleet's unbounded request body read allows remote Denial of Service in github.com/fleetdm/fleet. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from vulnerabili...
GO-2026-4888 Fleet: Password reset tokens remain valid after password change for 24 hours in github.com/fleetdm/fleet
Fleet: Password reset tokens remain valid after password change for 24 hours in github.com/fleetdm/fleet. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from...
PT-2026-29955
Fleet vulnerable to Denial of Service via unhandled gRPC log type in launcher endpoint in github.com/fleetdm/fleet...
PT-2026-29952
Fleet's user account creation via invite does not enforce invited email address in github.com/fleetdm/fleet...
Improper Check or Handling of Exceptional Conditions
Overview Affected versions of this package are vulnerable to Improper Check or Handling of Exceptional Conditions via the launcher endpoint when an authenticated host sends an unexpected log type value. An attacker can cause the server process to terminate immediately, disrupting all connected...
GO-2026-4563 Fleet: Unauthenticated Android device disenrollment vulnerability via Pub/Sub endpoint in github.com/fleetdm/fleet
Fleet: Unauthenticated Android device disenrollment vulnerability via Pub/Sub endpoint in github.com/fleetdm/fleet...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization through the certificate template batch deletion process. An attacker can remove certificate templates belonging to other teams by supplying arbitrary team identifiers and template IDs to the API endpoint...
GO-2026-4334 Fleet has an Access Control vulnerability in debug/pprof endpoints in github.com/fleetdm/fleet
Fleet has an Access Control vulnerability in debug/pprof endpoints in github.com/fleetdm/fleet...
GO-2026-4335 Fleet has a JWT signature bypass vulnerability in Azure AD MDM enrollment in github.com/fleetdm/fleet
Fleet has a JWT signature bypass vulnerability in Azure AD MDM enrollment in github.com/fleetdm/fleet...
PT-2026-6511
Fleet Windows MDM endpoint has a Cross-site Scripting vulnerability in github.com/fleetdm/fleet...
PT-2026-6510
Fleet has a JWT signature bypass vulnerability in Azure AD MDM enrollment in github.com/fleetdm/fleet...
PT-2026-6509
Fleet has an Access Control vulnerability in debug/pprof endpoints in github.com/fleetdm/fleet...
CVE-2026-22808
fleetdm/fleet is open source device management software. Prior to versions 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, if Windows MDM is enabled, an unauthenticated attacker can exploit this XSS vulnerability to steal a Fleet administrator's authentication token FLEET::authtoken from localStorage...
EUVD-2022-29624
Malicious code in bioql PyPI...
CVE-2022-24841
fleetdm/fleet is an open source device management, built on osquery. All versions of fleet making use of the teams feature are affected by this authorization bypass issue. Fleet instances without teams, or with teams but without restricted team accounts are not affected. In affected versions a te...
CVE-2025-27509 SAML authentication vulnerability due to improper SAML response validation
fleetdm/fleet is an open source device management, built on osquery. In vulnerable versions of Fleet, an attacker could craft a specially-formed SAML response to forge authentication assertions, provision a new administrative user account if Just-In-Time JIT provisioning is enabled, or create new...
Privilege Escalation
github.com/fleetdm/fleet is vulnerable to privilege escalation. A premium users with access to the team features are facing post-authentication authorization leading to insecure access control. This vulnerability does not affect fleet instances without teams, or with teams but without restricted...
CVE-2022-24841
fleetdm/fleet is an open source device management, built on osquery. All versions of fleet making use of the teams feature are affected by this authorization bypass issue. Fleet instances without teams, or with teams but without restricted team accounts are not affected. In affected versions a te...