VYPR
High severity7.5NVD Advisory· Published May 14, 2026· Updated May 18, 2026

CVE-2026-46356

CVE-2026-46356

Description

Fleet is open source device management software. Prior to version 4.80.1, a vulnerability in Fleet's IP extraction logic allows unauthenticated attackers to bypass API rate limiting by spoofing client IP headers. This may allow brute-force login attempts or other abuse against Fleet instances exposed to the public internet. Fleet extracted client IP addresses from request headers (True-Client-IP, X-Real-IP, X-Forwarded-For) without validating that those headers originate from a trusted proxy. The extracted IP is used as the key for rate limiting and IP ban decisions. As a result, an attacker could rotate the value of these headers on each request, causing Fleet to treat each attempt as coming from a different client. This effectively bypasses per-IP rate limits on sensitive endpoints such as the login API, enabling unrestricted brute-force or credential stuffing attacks. This issue primarily affects Fleet instances that are directly exposed to the internet without a reverse proxy that overwrites forwarded-IP headers. Instances behind a properly configured proxy or WAF are less affected. Version 4.80.1 contains a patch. If an immediate upgrade is not possible, administrators should ensure Fleet is deployed behind a reverse proxy (e.g., nginx, Cloudflare, AWS ALB) that overwrites X-Forwarded-For with the true client IP, and apply rate limiting at the proxy or WAF layer.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/fleetdm/fleet/v4Go
< 4.80.14.80.1

Affected products

2
  • Fleetdm/Fleetreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • cpe:2.3:a:fleetdm:fleet:*:*:*:*:*:*:*:*range: <4.80.1

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.