Fleet has an Access Control vulnerability in debug/pprof endpoints
GHSA-4r5r-ccr6-q6f6 · CVE-2026-23517 · GO-2026-4334
Published · Modified
Description
Summary
A broken access control issue in Fleet allowed authenticated users to access debug and profiling endpoints regardless of role. As a result, low-privilege users could view internal server diagnostics and trigger resource-intensive profiling operations.
Impact
Fleet’s debug/pprof endpoints are accessible to any authenticated user regardless of role, including the lowest-privilege “Observer” role. This allows low-privilege users to access sensitive server internals, including runtime profiling data and in-memory application state, and to trigger CPU-intensive profiling operations that could lead to denial of service.
Patches
- 4.78.3
- 4.77.1
- 4.76.2
- 4.75.2
- 4.53.3
Workarounds
If an immediate upgrade is not possible, users should put the debug/pprof endpoints behind an IP allowlist.
For more information
If you have any questions or comments about this advisory:
Email us at security@fleetdm.com
Join #fleet in osquery Slack
Credits
We thank @secfox-ai for responsibly reporting this issue.
References
- WEB https://github.com/fleetdm/fleet/security/advisories/GHSA-4r5r-ccr6-q6f6
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-23517
- WEB https://github.com/fleetdm/fleet/commit/5c030e32a3a9bc512355b5e1bf19636e4e6d0317
- PACKAGE https://github.com/fleetdm/fleet
- WEB https://pkg.go.dev/vuln/GO-2026-4334
Ready to move
Start Securing
Free, no credit card | First findings in minutes