Fleet
by Fleetdm
Source repositories
CVEs (32)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-27465 | 0.00 | — | 0.00 | Feb 26, 2026 | Fleet is open source device management software. In versions prior to 4.80.1, a vulnerability in Fleet’s configuration API could expose Google Calendar service account credentials to authenticated users with low-privilege roles. This may allow unauthorized access to Google… | |||
| CVE-2026-25963 | 0.00 | — | 0.00 | Feb 26, 2026 | Fleet is open source device management software. In versions prior to 4.80.1, a broken authorization check in Fleet’s certificate template deletion API could allow a team administrator to delete certificate templates belonging to other teams within the same Fleet instance.… | |||
| CVE-2026-23999 | 0.00 | — | 0.00 | Feb 26, 2026 | Fleet is open source device management software. In versions prior to 4.80.1, Fleet generated device lock and wipe PINs using a predictable algorithm based solely on the current Unix timestamp. Because no secret key or additional entropy was used, the resulting PIN could… | |||
| CVE-2026-24004 | 0.00 | — | 0.00 | Feb 26, 2026 | Fleet is open source device management software. In versions prior to 4.80.1, a vulnerability in Fleet’s Android MDM Pub/Sub handling could allow unauthenticated requests to trigger device unenrollment events. This may result in unauthorized removal of individual Android… | |||
| CVE-2026-26186 | 0.00 | — | 0.00 | Feb 26, 2026 | Fleet is open source device management software. A SQL injection vulnerability in versions prior to 4.80.1 allowed authenticated users to inject arbitrary SQL expressions via the `order_key` query parameter. Due to unsafe use of `goqu.I()` when constructing the `ORDER BY`… | |||
| CVE-2026-23518 | 0.00 | — | 0.00 | Jan 21, 2026 | Fleet is open source device management software. In versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, a vulnerability in Fleet's Windows MDM enrollment flow could allow an attacker to submit forged authentication tokens that are not properly validated. Because JWT… | |||
| CVE-2026-23517 | 0.00 | — | 0.00 | Jan 21, 2026 | Fleet is open source device management software. A broken access control issue in versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 allowed authenticated users to access debug and profiling endpoints regardless of role. As a result, low-privilege users could view… | |||
| CVE-2026-22808 | 0.00 | — | 0.00 | Jan 21, 2026 | fleetdm/fleet is open source device management software. Prior to versions 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, if Windows MDM is enabled, an unauthenticated attacker can exploit this XSS vulnerability to steal a Fleet administrator's authentication token… | |||
| CVE-2022-24841 | 0.00 | — | 0.01 | Apr 18, 2022 | fleetdm/fleet is an open source device management, built on osquery. All versions of fleet making use of the teams feature are affected by this authorization bypass issue. Fleet instances without teams, or with teams but without restricted team accounts are not affected. In… | |||
| CVE-2022-23600 | 0.00 | — | 0.01 | Feb 4, 2022 | fleet is an open source device management, built on osquery. Versions prior to 4.9.1 expose a limited ability to spoof SAML authentication with missing audience verification. This impacts deployments using SAML SSO in two specific cases: 1. A malicious or compromised Service… | |||
| CVE-2021-21296 | 0.00 | — | 0.02 | Feb 10, 2021 | Fleet is an open source osquery manager. In Fleet before version 3.7.0 a malicious actor with a valid node key can send a badly formatted request that causes the Fleet server to exit, resulting in denial of service. This is possible only while a live query is currently ongoing.… | |||
| CVE-2020-26276 | 0.00 | — | 0.02 | Dec 17, 2020 | Fleet is an open source osquery manager. In Fleet before version 3.5.1, due to issues in Go's standard library XML parsing, a valid SAML response may be mutated by an attacker to modify the trusted document. This can result in allowing unverified logins from a SAML IdP. Users… |
- CVE-2026-27465Feb 26, 2026risk 0.00cvss —epss 0.00
Fleet is open source device management software. In versions prior to 4.80.1, a vulnerability in Fleet’s configuration API could expose Google Calendar service account credentials to authenticated users with low-privilege roles. This may allow unauthorized access to Google…
- CVE-2026-25963Feb 26, 2026risk 0.00cvss —epss 0.00
Fleet is open source device management software. In versions prior to 4.80.1, a broken authorization check in Fleet’s certificate template deletion API could allow a team administrator to delete certificate templates belonging to other teams within the same Fleet instance.…
- CVE-2026-23999Feb 26, 2026risk 0.00cvss —epss 0.00
Fleet is open source device management software. In versions prior to 4.80.1, Fleet generated device lock and wipe PINs using a predictable algorithm based solely on the current Unix timestamp. Because no secret key or additional entropy was used, the resulting PIN could…
- CVE-2026-24004Feb 26, 2026risk 0.00cvss —epss 0.00
Fleet is open source device management software. In versions prior to 4.80.1, a vulnerability in Fleet’s Android MDM Pub/Sub handling could allow unauthenticated requests to trigger device unenrollment events. This may result in unauthorized removal of individual Android…
- CVE-2026-26186Feb 26, 2026risk 0.00cvss —epss 0.00
Fleet is open source device management software. A SQL injection vulnerability in versions prior to 4.80.1 allowed authenticated users to inject arbitrary SQL expressions via the `order_key` query parameter. Due to unsafe use of `goqu.I()` when constructing the `ORDER BY`…
- CVE-2026-23518Jan 21, 2026risk 0.00cvss —epss 0.00
Fleet is open source device management software. In versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, a vulnerability in Fleet's Windows MDM enrollment flow could allow an attacker to submit forged authentication tokens that are not properly validated. Because JWT…
- CVE-2026-23517Jan 21, 2026risk 0.00cvss —epss 0.00
Fleet is open source device management software. A broken access control issue in versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 allowed authenticated users to access debug and profiling endpoints regardless of role. As a result, low-privilege users could view…
- CVE-2026-22808Jan 21, 2026risk 0.00cvss —epss 0.00
fleetdm/fleet is open source device management software. Prior to versions 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, if Windows MDM is enabled, an unauthenticated attacker can exploit this XSS vulnerability to steal a Fleet administrator's authentication token…
- CVE-2022-24841Apr 18, 2022risk 0.00cvss —epss 0.01
fleetdm/fleet is an open source device management, built on osquery. All versions of fleet making use of the teams feature are affected by this authorization bypass issue. Fleet instances without teams, or with teams but without restricted team accounts are not affected. In…
- CVE-2022-23600Feb 4, 2022risk 0.00cvss —epss 0.01
fleet is an open source device management, built on osquery. Versions prior to 4.9.1 expose a limited ability to spoof SAML authentication with missing audience verification. This impacts deployments using SAML SSO in two specific cases: 1. A malicious or compromised Service…
- CVE-2021-21296Feb 10, 2021risk 0.00cvss —epss 0.02
Fleet is an open source osquery manager. In Fleet before version 3.7.0 a malicious actor with a valid node key can send a badly formatted request that causes the Fleet server to exit, resulting in denial of service. This is possible only while a live query is currently ongoing.…
- CVE-2020-26276Dec 17, 2020risk 0.00cvss —epss 0.02
Fleet is an open source osquery manager. In Fleet before version 3.5.1, due to issues in Go's standard library XML parsing, a valid SAML response may be mutated by an attacker to modify the trusted document. This can result in allowing unverified logins from a SAML IdP. Users…
Page 2 of 2