VYPR
Medium severity6.5NVD Advisory· Published May 14, 2026· Updated May 18, 2026

CVE-2026-26062

CVE-2026-26062

Description

Fleet is open source device management software. Prior to version 4.81.0, Fleet contained a denial-of-service (DoS) issue in the gRPC Launcher PublishLogs endpoint. In affected versions, certain unexpected input values were not handled gracefully, which could cause the Fleet server process to terminate while processing an authenticated request from an enrolled Launcher host. An authenticated attacker with access to any enrolled Launcher node key could cause an immediate and complete denial of service by sending a single gRPC request to the PublishLogs endpoint. This vulnerability impacts availability only. There is no exposure of sensitive data, no authentication bypass, no privilege escalation, and no integrity impact. Version 4.81.0 contains a patch. If upgrading immediately is not possible, the following mitigations can reduce exposure. Restrict network access to the Fleet gRPC endpoint where feasible (for example, limiting inbound access to known host IP ranges); deploy Fleet behind infrastructure that terminates or filters gRPC traffic if Launcher log ingestion is not required; and/or monitor for repeated Fleet process crashes or unexpected restarts indicating potential exploitation.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/fleetdm/fleet/v4Go
< 4.81.04.81.0

Affected products

3
  • Fleetdm/Fleetreferences3 versions
    (expand)+ 2 more
    • (no CPE)
    • cpe:2.3:a:fleetdm:fleet:*:*:*:*:*:*:*:*range: <4.81.0
    • (no CPE)range: <4.81.0

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.