github.com/fleetdm/fleet/v4 (go) security advisories

MEDIUM 6.5

Go

CVE-2026-46371

Fleet: Observer-level enrollment secret extraction via ORDER BY oracle on Apple MDM commands endpoint

Jun 12, 2026

MEDIUM 6.5

Go

CVE-2026-46370

Fleet has observer-level enrollment secret extraction via ORDER BY oracle on labels host-listing endpoint

Jun 12, 2026

HIGH 7.5

Go

CVE-2026-23998

Fleet has a Windows MDM management endpoint authentication bypass

May 14, 2026

HIGH 7.5

Go

CVE-2026-24899

Fleet Windows MDM Azure AD JWT Authentication Bypass

May 14, 2026

UNKNOWN

Go

CVE-2026-23998

Windows MDM management endpoint authentication bypass in github.com/fleetdm/fleet/v4

May 26, 2026

UNKNOWN

Go

CVE-2026-26062

Fleet server may terminate unexpectedly when handling certain gRPC requests

May 14, 2026

MEDIUM 5.3

Go

CVE-2026-24000

Fleet has a rate limiting bypass via untrusted client IP headers

May 14, 2026

UNKNOWN

Go

CVE-2026-46356

Fleet: IP spoofing allows bypassing API rate limiting

May 14, 2026

UNKNOWN

Go

CVE-2026-26191

Fleet vulnerable to OS command injection in software packages

May 14, 2026

HIGH 7.8

Go

CVE-2026-27806

Fleet Affected by Local Privilege Escalation via Tcl Command Injection in Orbit

Apr 8, 2026

UNKNOWN

Go

CVE-2026-34388

Fleet vulnerable to Denial of Service via unhandled gRPC log type in launcher endpoint

Mar 30, 2026

UNKNOWN

Go

CVE-2026-34389

Fleet's user account creation via invite does not enforce invited email address

Mar 30, 2026

UNKNOWN

Go

CVE-2026-29180

A Fleet team maintainer can transfer hosts from any team via missing source team authorization

Mar 27, 2026

UNKNOWN

Go

CVE-2026-26061

Fleet's unbounded request body read allows remote Denial of Service

Mar 27, 2026

UNKNOWN

Go

CVE-2026-34385

Fleet's Apple MDM profile delivery has second-order SQL Injection that can compromise the database

Mar 30, 2026

UNKNOWN

Go

CVE-2026-26060

Fleet: Password reset tokens remain valid after password change for 24 hours

Mar 27, 2026

UNKNOWN

Go

CVE-2026-34386

Fleet vulnerable to SQL Injection in MDM bootstrap package by authenticated team or global admin

Mar 30, 2026

UNKNOWN

Go

CVE-2026-34388

Fleet vulnerable to Denial of Service via unhandled gRPC log type in launcher endpoint in github.com/fleetdm/fleet

Apr 2, 2026

UNKNOWN

Go

CVE-2026-26061

Fleet's unbounded request body read allows remote Denial of Service in github.com/fleetdm/fleet

Apr 2, 2026

UNKNOWN

Go

CVE-2026-34386

Fleet vulnerable to SQL Injection in MDM bootstrap package by authenticated team or global admin in github.com/fleetdm/fleet

Apr 2, 2026

UNKNOWN

Go

CVE-2026-34389

Fleet's user account creation via invite does not enforce invited email address in github.com/fleetdm/fleet

Apr 2, 2026

UNKNOWN

Go

CVE-2026-29180

A Fleet team maintainer can transfer hosts from any team via missing source team authorization in github.com/fleetdm/fleet

Apr 2, 2026

UNKNOWN

Go

CVE-2026-26060

Fleet: Password reset tokens remain valid after password change for 24 hours in github.com/fleetdm/fleet

Apr 2, 2026

UNKNOWN

Go

CVE-2026-34385

Fleet's Apple MDM profile delivery has second-order SQL Injection that can compromise the database in github.com/fleetdm/fleet

Apr 2, 2026

UNKNOWN

Go

CVE-2020-26276

SAML authentication vulnerability due to stdlib XML parsing

Feb 11, 2022

UNKNOWN

Go

CVE-2026-25963

Fleet: Authorization Bypass in certificate template batch deletion for team administrators in github.com/fleetdm/fleet

Feb 27, 2026

UNKNOWN

Go

CVE-2026-25963

Fleet: Authorization Bypass in certificate template batch deletion for team administrators

Feb 26, 2026

UNKNOWN

Go

CVE-2026-27465

Fleet: Sensitive Google Calendar credentials disclosed to low-privileged users in github.com/fleetdm/fleet

Feb 27, 2026

UNKNOWN

Go

CVE-2026-27465

Fleet: Sensitive Google Calendar credentials disclosed to low-privileged users

Feb 26, 2026

UNKNOWN

Go

CVE-2026-24004

Fleet: Unauthenticated Android device disenrollment vulnerability via Pub/Sub endpoint in github.com/fleetdm/fleet

Feb 27, 2026

UNKNOWN

Go

CVE-2026-24004

Fleet: Unauthenticated Android device disenrollment vulnerability via Pub/Sub endpoint

Feb 26, 2026

UNKNOWN

Go

CVE-2026-23999

Fleet: Device lock PIN can be predicted if lock time is known in github.com/fleetdm/fleet

Feb 27, 2026

UNKNOWN

Go

CVE-2026-23999

Fleet: Device lock PIN can be predicted if lock time is known

Feb 26, 2026

UNKNOWN

Go

CVE-2026-26186

Fleet has an SQL Injection vulnerability via backtick escape in ORDER BY parameter in github.com/fleetdm/fleet

Feb 27, 2026

UNKNOWN

Go

CVE-2026-26186

Fleet has an SQL Injection vulnerability via backtick escape in ORDER BY parameter

Feb 26, 2026

UNKNOWN

Go

CVE-2026-23517

Fleet has an Access Control vulnerability in debug/pprof endpoints

Jan 20, 2026

UNKNOWN

Go

CVE-2026-23518

Fleet has a JWT signature bypass vulnerability in Azure AD MDM enrollment in github.com/fleetdm/fleet

Feb 3, 2026

UNKNOWN

Go

CVE-2026-22808

Fleet Windows MDM endpoint has a Cross-site Scripting vulnerability in github.com/fleetdm/fleet

Feb 3, 2026

UNKNOWN

Go

CVE-2026-22808

Fleet Windows MDM endpoint has a Cross-site Scripting vulnerability

Jan 20, 2026

UNKNOWN

Go

CVE-2026-23517

Fleet has an Access Control vulnerability in debug/pprof endpoints in github.com/fleetdm/fleet

Feb 3, 2026

UNKNOWN

Go

CVE-2025-27509

Fleet has SAML authentication vulnerability due to improper SAML response validation

Mar 6, 2025

UNKNOWN

Go

CVE-2025-27509

Fleet has SAML authentication vulnerability due to improper SAML response validation in github.com/fleetdm/fleet

Mar 10, 2025

MEDIUM 5.3

Go

CVE-2022-23600

Limited ability to spoof SAML authentication with missing audience verification in Fleet

Feb 7, 2022

github.com/fleetdm/fleet/v4

Vulnerabilities

Fleet: Observer-level enrollment secret extraction via ORDER BY oracle on Apple MDM commands endpoint

Fleet has observer-level enrollment secret extraction via ORDER BY oracle on labels host-listing endpoint

Fleet has a Windows MDM management endpoint authentication bypass

Fleet Windows MDM Azure AD JWT Authentication Bypass

Windows MDM management endpoint authentication bypass in github.com/fleetdm/fleet/v4

Fleet server may terminate unexpectedly when handling certain gRPC requests

Fleet has a rate limiting bypass via untrusted client IP headers

Fleet: IP spoofing allows bypassing API rate limiting

Fleet vulnerable to OS command injection in software packages

Fleet Affected by Local Privilege Escalation via Tcl Command Injection in Orbit

Fleet vulnerable to Denial of Service via unhandled gRPC log type in launcher endpoint

Fleet's user account creation via invite does not enforce invited email address

A Fleet team maintainer can transfer hosts from any team via missing source team authorization

Fleet's unbounded request body read allows remote Denial of Service

Fleet's Apple MDM profile delivery has second-order SQL Injection that can compromise the database

Fleet: Password reset tokens remain valid after password change for 24 hours

Fleet vulnerable to SQL Injection in MDM bootstrap package by authenticated team or global admin

Fleet vulnerable to Denial of Service via unhandled gRPC log type in launcher endpoint in github.com/fleetdm/fleet

Fleet's unbounded request body read allows remote Denial of Service in github.com/fleetdm/fleet

Fleet vulnerable to SQL Injection in MDM bootstrap package by authenticated team or global admin in github.com/fleetdm/fleet

Fleet's user account creation via invite does not enforce invited email address in github.com/fleetdm/fleet

A Fleet team maintainer can transfer hosts from any team via missing source team authorization in github.com/fleetdm/fleet

Fleet: Password reset tokens remain valid after password change for 24 hours in github.com/fleetdm/fleet

Fleet's Apple MDM profile delivery has second-order SQL Injection that can compromise the database in github.com/fleetdm/fleet

SAML authentication vulnerability due to stdlib XML parsing

Fleet: Authorization Bypass in certificate template batch deletion for team administrators in github.com/fleetdm/fleet

Fleet: Authorization Bypass in certificate template batch deletion for team administrators

Fleet: Sensitive Google Calendar credentials disclosed to low-privileged users in github.com/fleetdm/fleet

Fleet: Sensitive Google Calendar credentials disclosed to low-privileged users

Fleet: Unauthenticated Android device disenrollment vulnerability via Pub/Sub endpoint in github.com/fleetdm/fleet

Fleet: Unauthenticated Android device disenrollment vulnerability via Pub/Sub endpoint

Fleet: Device lock PIN can be predicted if lock time is known in github.com/fleetdm/fleet

Fleet: Device lock PIN can be predicted if lock time is known

Fleet has an SQL Injection vulnerability via backtick escape in ORDER BY parameter in github.com/fleetdm/fleet

Fleet has an SQL Injection vulnerability via backtick escape in ORDER BY parameter

Fleet has an Access Control vulnerability in debug/pprof endpoints

Fleet has a JWT signature bypass vulnerability in Azure AD MDM enrollment in github.com/fleetdm/fleet

Fleet Windows MDM endpoint has a Cross-site Scripting vulnerability in github.com/fleetdm/fleet

Fleet Windows MDM endpoint has a Cross-site Scripting vulnerability

Fleet has an Access Control vulnerability in debug/pprof endpoints in github.com/fleetdm/fleet

Fleet has SAML authentication vulnerability due to improper SAML response validation

Fleet has SAML authentication vulnerability due to improper SAML response validation in github.com/fleetdm/fleet

Limited ability to spoof SAML authentication with missing audience verification in Fleet

Start Securing