Go modules package

github.com/fleetdm/fleet/v4

pkg:golang/github.com/fleetdm/fleet/v4

Vulnerabilities (18)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-27806	Hig	7.8	< 4.81.1	4.81.1	Apr 8, 2026	Fleet is open source device management software. Prior to 4.81.1, the Orbit agent's FileVault disk encryption key rotation flow on collects a local user's password via a GUI dialog and interpolates it directly into a Tcl/expect script executed via exec.Command("expect", "-c", scr
CVE-2026-34389	Med	6.5	< 4.81.0	4.81.0	Mar 27, 2026	Fleet is open source device management software. Prior to 4.81.0, Fleet contained an issue in the user invitation flow where the email address provided during invite acceptance was not validated against the email address associated with the invite. An attacker who obtained a vali
CVE-2026-34388	Hig	7.5	< 4.81.0	4.81.0	Mar 27, 2026	Fleet is open source device management software. Prior to 4.81.0, a denial-of-service vulnerability in Fleet's gRPC Launcher endpoint allows an authenticated host to crash the entire Fleet server process by sending an unexpected log type value. The server terminates immediately,
CVE-2026-34386	Hig	8.8	< 4.81.0	4.81.0	Mar 27, 2026	Fleet is open source device management software. Prior to 4.81.0, a SQL injection vulnerability in Fleet's MDM bootstrap package configuration allows an authenticated user with Team Admin or Global Admin privileges to modify arbitrary team configurations, exfiltrate sensitive dat
CVE-2026-34385	Hig	8.1	< 4.81.0	4.81.0	Mar 27, 2026	Fleet is open source device management software. Prior to 4.81.0, a second-order SQL injection vulnerability in Fleet's Apple MDM profile delivery pipeline could allow an attacker with a valid MDM enrollment certificate to exfiltrate or modify the contents of the Fleet database,
CVE-2026-29180	Hig	8.8	< 4.81.1	4.81.1	Mar 27, 2026	Fleet is open source device management software. Prior to 4.81.1, a broken access control vulnerability in Fleet's host transfer API allows a team maintainer to transfer hosts from any team into their own team, bypassing team isolation boundaries. Once transferred, the attacker g
CVE-2026-26061	Hig	7.5	< 4.43.5-0.20260113202849-bbc1aef2987d	4.43.5-0.20260113202849-bbc1aef2987d	Mar 27, 2026	Fleet is open source device management software. Prior to 4.81.0, Fleet contained multiple unauthenticated HTTP endpoints that read request bodies without enforcing a size limit. An unauthenticated attacker could exploit this behavior by sending large or repeated HTTP payloads, c
CVE-2026-26060	Hig	8.8	< 4.43.5-0.20260113202849-bbc1aef2987d	4.43.5-0.20260113202849-bbc1aef2987d	Mar 27, 2026	Fleet is open source device management software. Prior to 4.81.0, a vulnerability in Fleet’s password management logic could allow previously issued password reset tokens to remain valid after a user changes their password. As a result, a stale password reset token could be reuse
CVE-2026-27465		—	< 4.80.1	4.80.1	Feb 26, 2026	Fleet is open source device management software. In versions prior to 4.80.1, a vulnerability in Fleet’s configuration API could expose Google Calendar service account credentials to authenticated users with low-privilege roles. This may allow unauthorized access to Google Calend
CVE-2026-25963		—	< 4.80.1	4.80.1	Feb 26, 2026	Fleet is open source device management software. In versions prior to 4.80.1, a broken authorization check in Fleet’s certificate template deletion API could allow a team administrator to delete certificate templates belonging to other teams within the same Fleet instance. Fleet
CVE-2026-23999		—	< 4.80.1	4.80.1	Feb 26, 2026	Fleet is open source device management software. In versions prior to 4.80.1, Fleet generated device lock and wipe PINs using a predictable algorithm based solely on the current Unix timestamp. Because no secret key or additional entropy was used, the resulting PIN could potentia
CVE-2026-24004		—	< 4.80.1	4.80.1	Feb 26, 2026	Fleet is open source device management software. In versions prior to 4.80.1, a vulnerability in Fleet’s Android MDM Pub/Sub handling could allow unauthenticated requests to trigger device unenrollment events. This may result in unauthorized removal of individual Android devices
CVE-2026-26186		—	< 4.80.1	4.80.1	Feb 26, 2026	Fleet is open source device management software. A SQL injection vulnerability in versions prior to 4.80.1 allowed authenticated users to inject arbitrary SQL expressions via the `order_key` query parameter. Due to unsafe use of `goqu.I()` when constructing the `ORDER BY` clause,
CVE-2026-23517		—	< 4.78.3-0.20260112221730-5c030e32a3a9	4.78.3-0.20260112221730-5c030e32a3a9	Jan 21, 2026	Fleet is open source device management software. A broken access control issue in versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 allowed authenticated users to access debug and profiling endpoints regardless of role. As a result, low-privilege users could view inter
CVE-2026-22808		—	< 4.43.5-0.20260111020427-0e6c790803d1	4.43.5-0.20260111020427-0e6c790803d1	Jan 21, 2026	fleetdm/fleet is open source device management software. Prior to versions 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, if Windows MDM is enabled, an unauthenticated attacker can exploit this XSS vulnerability to steal a Fleet administrator's authentication token (FLEET::auth_toke
CVE-2025-27509	Cri	—	>= 4.64.0, < 4.64.2	4.64.2	Mar 6, 2025	fleetdm/fleet is an open source device management, built on osquery. In vulnerable versions of Fleet, an attacker could craft a specially-formed SAML response to forge authentication assertions, provision a new administrative user account if Just-In-Time (JIT) provisioning is ena
CVE-2022-23600		—	< 4.9.1	4.9.1	Feb 4, 2022	fleet is an open source device management, built on osquery. Versions prior to 4.9.1 expose a limited ability to spoof SAML authentication with missing audience verification. This impacts deployments using SAML SSO in two specific cases: 1. A malicious or compromised Service Prov
CVE-2020-26276		—	< 3.5.1	3.5.1	Dec 17, 2020	Fleet is an open source osquery manager. In Fleet before version 3.5.1, due to issues in Go's standard library XML parsing, a valid SAML response may be mutated by an attacker to modify the trusted document. This can result in allowing unverified logins from a SAML IdP. Users tha

CVE-2026-27806HigApr 8, 2026
affected < 4.81.1fixed 4.81.1
Fleet is open source device management software. Prior to 4.81.1, the Orbit agent's FileVault disk encryption key rotation flow on collects a local user's password via a GUI dialog and interpolates it directly into a Tcl/expect script executed via exec.Command("expect", "-c", scr
CVE-2026-34389MedMar 27, 2026
affected < 4.81.0fixed 4.81.0
Fleet is open source device management software. Prior to 4.81.0, Fleet contained an issue in the user invitation flow where the email address provided during invite acceptance was not validated against the email address associated with the invite. An attacker who obtained a vali
CVE-2026-34388HigMar 27, 2026
affected < 4.81.0fixed 4.81.0
Fleet is open source device management software. Prior to 4.81.0, a denial-of-service vulnerability in Fleet's gRPC Launcher endpoint allows an authenticated host to crash the entire Fleet server process by sending an unexpected log type value. The server terminates immediately,
CVE-2026-34386HigMar 27, 2026
affected < 4.81.0fixed 4.81.0
Fleet is open source device management software. Prior to 4.81.0, a SQL injection vulnerability in Fleet's MDM bootstrap package configuration allows an authenticated user with Team Admin or Global Admin privileges to modify arbitrary team configurations, exfiltrate sensitive dat
CVE-2026-34385HigMar 27, 2026
affected < 4.81.0fixed 4.81.0
Fleet is open source device management software. Prior to 4.81.0, a second-order SQL injection vulnerability in Fleet's Apple MDM profile delivery pipeline could allow an attacker with a valid MDM enrollment certificate to exfiltrate or modify the contents of the Fleet database,
CVE-2026-29180HigMar 27, 2026
affected < 4.81.1fixed 4.81.1
Fleet is open source device management software. Prior to 4.81.1, a broken access control vulnerability in Fleet's host transfer API allows a team maintainer to transfer hosts from any team into their own team, bypassing team isolation boundaries. Once transferred, the attacker g
CVE-2026-26061HigMar 27, 2026
affected < 4.43.5-0.20260113202849-bbc1aef2987dfixed 4.43.5-0.20260113202849-bbc1aef2987d
Fleet is open source device management software. Prior to 4.81.0, Fleet contained multiple unauthenticated HTTP endpoints that read request bodies without enforcing a size limit. An unauthenticated attacker could exploit this behavior by sending large or repeated HTTP payloads, c
CVE-2026-26060HigMar 27, 2026
affected < 4.43.5-0.20260113202849-bbc1aef2987dfixed 4.43.5-0.20260113202849-bbc1aef2987d
Fleet is open source device management software. Prior to 4.81.0, a vulnerability in Fleet’s password management logic could allow previously issued password reset tokens to remain valid after a user changes their password. As a result, a stale password reset token could be reuse
CVE-2026-27465Feb 26, 2026
affected < 4.80.1fixed 4.80.1
Fleet is open source device management software. In versions prior to 4.80.1, a vulnerability in Fleet’s configuration API could expose Google Calendar service account credentials to authenticated users with low-privilege roles. This may allow unauthorized access to Google Calend
CVE-2026-25963Feb 26, 2026
affected < 4.80.1fixed 4.80.1
Fleet is open source device management software. In versions prior to 4.80.1, a broken authorization check in Fleet’s certificate template deletion API could allow a team administrator to delete certificate templates belonging to other teams within the same Fleet instance. Fleet
CVE-2026-23999Feb 26, 2026
affected < 4.80.1fixed 4.80.1
Fleet is open source device management software. In versions prior to 4.80.1, Fleet generated device lock and wipe PINs using a predictable algorithm based solely on the current Unix timestamp. Because no secret key or additional entropy was used, the resulting PIN could potentia
CVE-2026-24004Feb 26, 2026
affected < 4.80.1fixed 4.80.1
Fleet is open source device management software. In versions prior to 4.80.1, a vulnerability in Fleet’s Android MDM Pub/Sub handling could allow unauthenticated requests to trigger device unenrollment events. This may result in unauthorized removal of individual Android devices
CVE-2026-26186Feb 26, 2026
affected < 4.80.1fixed 4.80.1
Fleet is open source device management software. A SQL injection vulnerability in versions prior to 4.80.1 allowed authenticated users to inject arbitrary SQL expressions via the `order_key` query parameter. Due to unsafe use of `goqu.I()` when constructing the `ORDER BY` clause,
CVE-2026-23517Jan 21, 2026
affected < 4.78.3-0.20260112221730-5c030e32a3a9fixed 4.78.3-0.20260112221730-5c030e32a3a9
Fleet is open source device management software. A broken access control issue in versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 allowed authenticated users to access debug and profiling endpoints regardless of role. As a result, low-privilege users could view inter
CVE-2026-22808Jan 21, 2026
affected < 4.43.5-0.20260111020427-0e6c790803d1fixed 4.43.5-0.20260111020427-0e6c790803d1
fleetdm/fleet is open source device management software. Prior to versions 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, if Windows MDM is enabled, an unauthenticated attacker can exploit this XSS vulnerability to steal a Fleet administrator's authentication token (FLEET::auth_toke
CVE-2025-27509CriMar 6, 2025
affected >= 4.64.0, < 4.64.2fixed 4.64.2
fleetdm/fleet is an open source device management, built on osquery. In vulnerable versions of Fleet, an attacker could craft a specially-formed SAML response to forge authentication assertions, provision a new administrative user account if Just-In-Time (JIT) provisioning is ena
CVE-2022-23600Feb 4, 2022
affected < 4.9.1fixed 4.9.1
fleet is an open source device management, built on osquery. Versions prior to 4.9.1 expose a limited ability to spoof SAML authentication with missing audience verification. This impacts deployments using SAML SSO in two specific cases: 1. A malicious or compromised Service Prov
CVE-2020-26276Dec 17, 2020
affected < 3.5.1fixed 3.5.1
Fleet is an open source osquery manager. In Fleet before version 3.5.1, due to issues in Go's standard library XML parsing, a valid SAML response may be mutated by an attacker to modify the trusted document. This can result in allowing unverified logins from a SAML IdP. Users tha