Fleet: Unauthenticated Android device disenrollment vulnerability via Pub/Sub endpoint
GHSA-9pm7-6g36-6j78 · CVE-2026-24004 · GO-2026-4563
Published · Modified
Description
Summary
A vulnerability in Fleet’s Android MDM Pub/Sub handling could allow unauthenticated requests to trigger device unenrollment events. This may result in unauthorized removal of individual Android devices from Fleet management.
Impact
If Android MDM is enabled, an attacker could send a crafted request to the Android Pub/Sub endpoint to unenroll a targeted Android device from Fleet without authentication.
This issue does not grant access to Fleet, allow execution of commands, or provide visibility into device data. Impact is limited to disruption of Android device management for the affected device.
Workarounds
If an immediate upgrade is not possible, affected Fleet users should temporarily disable Android MDM.
For more information
If there any questions or comments about this advisory:
Email Fleet at security@fleetdm.com
Join #fleet in osquery Slack
Credits
Fleet thanks @secfox-ai for responsibly reporting this issue.
Ready to move
Start Securing
Free, no credit card | First findings in minutes