28 matches found
CVE-2026-23999
CVE-2026-23999 affects Fleet open source device management before version 4.80.1. The vulnerability stems from a predictable 6‑digit PIN (device lock/wipe) derived from the current Unix timestamp without secret entropy, allowing an attacker with physical access and knowledge of approximate lock t...
CVE-2026-27465
Summary: CVE-2026-27465 affects Fleet before v4.80.1, where the configuration API could expose Google Calendar service account credentials to authenticated users with the lowest-privilege role (Observer). The credentials were not properly obfuscated, potentially allowing unauthorized access to Go...
CVE-2022-23600
Fleet (fleetdm/fleet) before version 4.9.1 is vulnerable to a limited SAML authentication spoof due to missing audience verification. Two attack scenarios are described: (1) a malicious SP could log in as a Fleet user if the user has a matching email in Fleet and signs into the malicious SP via t...
CVE-2022-24841
CVE-2022-24841 affects fleetdm/fleet (osquery-based device management). In versions with the teams feature, a team admin can illegitimately grant themselves admin/maintainer/observer privileges on other teams due to an authorization bypass. Instances without teams or with unrestricted teams accou...
CVE-2021-21296
Fleet is an open-source osquery manager. CVE-2021-21296 affects Fleet versions prior to 3.7.0, where a malicious actor with a valid node key can send a malformed request that crashes the Fleet server during an ongoing live query, causing denial of service. The impact is described as low due to th...
CVE-2020-26276
CVE-2020-26276 affects Fleet, an open source osquery manager. The issue arises before version 3.5.1 due to Go's standard library XML parsing, allowing a crafted SAML response to mutate the trusted document and enable unverified logins from a SAML IdP. Impact is limited to Fleet instances configur...
CVE-2026-25963
Fleet is an open source device management platform. In versions prior to 4.80.1, a broken authorization check in Fleet’s certificate template deletion API could let a team administrator delete certificate templates belonging to other teams within the same Fleet instance. The affected flow validat...
CVE-2026-46356
Fleet (open-source device management) before v4.80.1 is vulnerable: an IP extraction flaw lets unauthenticated attackers bypass per-IP rate limits by rotating headers like True-Client-IP, X-Real-IP, or X-Forwarded-For, enabling brute-force or credential stuffing on exposed instances. Root cause: ...
CVE-2026-24899
CVE-2026-24899 affects Fleet Windows MDM enrollment. Before 4.82.0, Fleet validates JWTs with Microsoft’s multi-tenant JWKS but does not enforce aud or iss, allowing any Microsoft-signed Azure AD access token with the expected scopes to authenticate to Fleet’s MDM endpoints. If Windows MDM is ena...
CVE-2026-23517
Fleet (open source device management software) has a broken access control vulnerability in debug/pprof endpoints that allows any authenticated user, including the lowest-privilege Observer role, to access internal server diagnostics and trigger CPU-intensive profiling operations. This affects ve...
CVE-2026-26061
CVE-2026-26061 affects the open‑source Fleet device management platform. Versions prior to 4.81.0 expose multiple unauthenticated HTTP endpoints that read request bodies without a size limit, enabling an unauthenticated attacker to send large or repeated payloads and trigger excessive memory allo...
CVE-2026-26191
Fleet prior to version 4.81.0 is affected by a vulnerability in the software installer pipeline where metadata from uploaded packages (pkg, deb, rpm, exe, msi) is used to generate uninstall scripts without proper sanitization. A crafted package could cause arbitrary commands to run with root priv...
CVE-2026-24000
Fleet is open-source device management software. A vulnerability in versions prior to 4.80.1 lets attackers spoof the client’s apparent IP by abusing unvalidated headers (X-Forwarded-For, X-Real-IP, True-Client-IP) to bypass per-IP rate limiting. This affects how Fleet determines a client’s publi...
CVE-2026-26186
Fleet is affected by a SQL injection in versions prior to 4.80.1. The flaw stems from unsafe use of goqu.I() while building the ORDER BY clause, allowing an authenticated user to inject arbitrary SQL expressions via the order_key parameter. This can enable blind SQL injection techniques to disclo...
CVE-2026-34391
CVE-2026-34391 concerns Fleet, an open‑source device management platform. A flaw in Fleet’s Windows MDM command processing allows a malicious enrolled device to access MDM commands intended for other devices, potentially exposing sensitive configuration data (e.g., WiFi credentials, VPN secrets, ...
CVE-2026-23998
CVE-2026-23998 affects Fleet open-source device management software, specifically the Windows MDM management endpoint. A vulnerability in the endpoint could allow requests without proper client certificate validation to be processed as trusted, enabling an attacker who knows a valid enrolled devi...
CVE-2026-23518
Fleet is open source device management software. CVE-2026-23518 describes a JWT signature bypass in Fleet’s Windows MDM enrollment flow, where attacker-supplied tokens could be accepted without proper JWT verification, allowing enrollment of unauthorized devices under arbitrary Azure AD identitie...
CVE-2026-26060
CVE-2026-26060 concerns Fleet, an open-source device-management platform. According to the provided sources, prior to version 4.81.0, the password-management logic allowed previously issued password-reset tokens to remain valid after a user changes their password, enabling a stale token to be use...
CVE-2026-27806
Fleet Orbit is affected prior to version 4.81.1 where the Orbit agent’s FileVault rotation flow collects a local user’s password through a GUI dialog and interpolates it into a Tcl/expect script executed via exec.Command("expect", "-c", script). The password is inserted into a Tcl brace-quoted se...
CVE-2026-34386
Fleet is open source device management software. Before 4.81.0, a SQL injection vulnerability in Fleet’s MDM bootstrap package configuration allows an authenticated user with Team Admin or Global Admin privileges to modify arbitrary team configurations, exfiltrate sensitive data from the Fleet da...
CVE-2026-24004
CVE-2026-24004 affects Fleet open source device management software prior to 4.80.1. The issue is in Android MDM Pub/Sub handling, allowing unauthenticated requests to trigger unenrollment events, potentially removing individual Android devices from Fleet management. Impact is disruption of Andro...
CVE-2026-26062
CVE-2026-26062 affects Fleet before version 4.81.0, where the gRPC Launcher PublishLogs endpoint could terminate the Fleet server when handling certain inputs. An authenticated attacker with access to an enrolled Launcher node key could trigger an immediate DoS by sending a single gRPC request, i...
CVE-2026-34385
CVE-2026-34385 affects Fleet open source device management software. A second‑order SQL injection in Fleet’s Apple MDM profile delivery pipeline prior to 4.81.0 could allow a user with a valid MDM enrollment certificate to exfiltrate or modify the Fleet database contents, including user credentia...
CVE-2026-29180
Fleet is an open-source device management platform. Before version 4.81.1, a broken access control in Fleet’s host transfer API allows a team maintainer to transfer hosts from any team into their own, bypassing team isolation. Once transferred, the attacker gains full control over the stolen host...
CVE-2026-34387
Fleet is an open source device management platform. A command injection vulnerability exists in Fleet’s software installer pipeline prior to version 4.81.1, enabling arbitrary code execution as root on macOS/Linux or SYSTEM on Windows when uninstalling a crafted software package. Affected compone...
CVE-2026-34389
CVE-2026-34389 affects Fleet open-source device management. Before 4.81.0, the user invitation flow did not validate the invitee’s email during invite acceptance against the email tied to the invite token. An attacker with a valid invite token could create an account under an arbitrary email whil...
CVE-2026-22808
CVE-2026-22808 describes a Cross-site Scripting (XSS) vulnerability in Fleet Windows MDM endpoint (fleetdm/fleet). If Windows MDM is enabled, an unauthenticated attacker could trigger XSS to steal the Fleet administrator token (FLEET::auth_token) from localStorage, potentially enabling unauthoriz...
CVE-2026-34388
CVE-2026-34388 affects Fleet open-source device management software. Before version 4.81.0, an unaudited denial-of-service condition exists in Fleet’s gRPC Launcher endpoint, where an authenticated host can crash the entire Fleet server process by sending an unexpected log type value. The crash t...