CRITICAL🇵🇱 Wersja polska

CVE-2026-23518

CVSS 9.3v4.0pub. 2026-01-21upd. 2026-02-27

Fleet is open source device management software. In versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, a vulnerability in Fleet's Windows MDM enrollment flow could allow an attacker to submit forged authentication tokens that are not properly validated. Because JWT signatures were not verified, Fleet could accept attacker-controlled identity claims, enabling enrollment of unauthorized devices under arbitrary Azure AD user identities. Versions 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 fix the issue. If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM.

CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Fleetdm Fleet

    APP
    Fleetdm
    4.77.0< 4.53.34.75.0 – 4.75.2 (bez)4.76.0 – 4.76.2 (bez)4.78.0 – 4.78.3 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2020-26276CRITICAL10.0ten sam produkt

Fleet is an open source osquery manager. In Fleet before version 3.5.1, due to issues in Go's standard library...

CVE-2026-24899HIGH8.2ten sam produkt

Fleet is open source device management software. Prior to version 4.82.0, a vulnerability in Fleet's Windows M...

CVE-2026-26062HIGH8.7ten sam produkt

Fleet is open source device management software. Prior to version 4.81.0, Fleet contained a denial-of-service ...

CVE-2026-23998HIGH8.2ten sam produkt

Fleet is open source device management software. Prior to version 4.81.0, a vulnerability in Fleet’s Windows M...

CVE-2026-27806HIGH7.8ten sam produkt

Fleet is open source device management software. Prior to 4.81.1, the Orbit agent's FileVault disk encryption ...