CVE-2026-34389

Medium CVSS: 4.9

Fleet is open source device management software. Prior to 4.81.0, Fleet contained an issue in the user invitation flow where the email address provided during invite acceptance was not validated against the email address associated with the invite. An attacker who obtained a valid invite token could create an account under an arbitrary email address while inheriting the role granted by the invite, including global admin. Version 4.81.0 patches the issue.

Vendor

Fleetdm

Product

Fleet

CWE

CWE-287

Yayın Tarihi

2026-03-27 20:16:35

Güncelleme

2026-04-02 19:41:09

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-287 Fleet MEDIUM Fleetdm 2026

Referanslar

https://github.com/fleetdm/fleet/security/advisories/GHSA-4f9r-x588-pp2h

Benzer Kayıtlar

Medium

CVE-2026-34391

Fleet is open source device management software. Prior to 4.81.1, a vulnerability in Fleet's Windows MDM command process…

Medium

CVE-2026-34388

Fleet is open source device management software. Prior to 4.81.0, a denial-of-service vulnerability in Fleet's gRPC Laun…

Medium

CVE-2026-34386

Fleet is open source device management software. Prior to 4.81.0, a SQL injection vulnerability in Fleet's MDM bootstrap…

Medium

CVE-2026-26060

Fleet is open source device management software. Prior to 4.81.0, a vulnerability in Fleet’s password management logic c…

High

CVE-2026-26061

Fleet is open source device management software. Prior to 4.81.0, Fleet contained multiple unauthenticated HTTP endpoint…

Medium

CVE-2026-29180

Fleet is open source device management software. Prior to 4.81.1, a broken access control vulnerability in Fleet's host…