CVE-2026-23518

Critical CVSS: 9.3

Fleet is open source device management software. In versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, a vulnerability in Fleet's Windows MDM enrollment flow could allow an attacker to submit forged authentication tokens that are not properly validated. Because JWT signatures were not verified, Fleet could accept attacker-controlled identity claims, enabling enrollment of unauthorized devices under arbitrary Azure AD user identities. Versions 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 fix the issue. If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM.

Vendor

Fleetdm

Product

Fleet

CWE

CWE-347

Yayın Tarihi

2026-01-21 22:15:50

Güncelleme

2026-02-27 16:14:59

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-347 Fleet CRITICAL Fleetdm 2026

Referanslar

https://github.com/fleetdm/fleet/commit/e225ef57912c8f4ac8977e24b5ebe1d9fd875257 https://github.com/fleetdm/fleet/security/advisories/GHSA-63m5-974w-448v

Benzer Kayıtlar

Medium

CVE-2026-34391

Fleet is open source device management software. Prior to 4.81.1, a vulnerability in Fleet's Windows MDM command process…

Medium

CVE-2026-34388

Fleet is open source device management software. Prior to 4.81.0, a denial-of-service vulnerability in Fleet's gRPC Laun…

Medium

CVE-2026-34389

Fleet is open source device management software. Prior to 4.81.0, Fleet contained an issue in the user invitation flow w…

Medium

CVE-2026-34386

Fleet is open source device management software. Prior to 4.81.0, a SQL injection vulnerability in Fleet's MDM bootstrap…

Medium

CVE-2026-26060

Fleet is open source device management software. Prior to 4.81.0, a vulnerability in Fleet’s password management logic c…

High

CVE-2026-26061

Fleet is open source device management software. Prior to 4.81.0, Fleet contained multiple unauthenticated HTTP endpoint…