VYPR
Vendor

Fleetdm

Products
1
CVEs
32
Across products
32
Status
Private

Products

1

Recent CVEs

32
View all 32 CVEs →
  • CVE-2026-26191CriMay 14, 2026
    risk 0.57cvss 9.8epss 0.01

    Fleet is open source device management software. Prior to version 4.81.0, a vulnerability in Fleet's software installer pipeline could allow a crafted software package to execute arbitrary commands as root (macOS/Linux) or SYSTEM (Windows) on managed endpoints when an uninstall…

  • CVE-2026-34387CriMar 27, 2026
    risk 0.57cvss 9.8epss 0.01

    Fleet is open source device management software. Prior to 4.81.1, a command injection vulnerability in Fleet's software installer pipeline allows an attacker to achieve arbitrary code execution as root (macOS/Linux) or SYSTEM (Windows) on managed hosts when an uninstall is…

  • CVE-2025-27509CriMar 6, 2025
    risk 0.53cvss epss 0.01

    fleetdm/fleet is an open source device management, built on osquery. In vulnerable versions of Fleet, an attacker could craft a specially-formed SAML response to forge authentication assertions, provision a new administrative user account if Just-In-Time (JIT) provisioning is…

  • CVE-2026-34386HigMar 27, 2026
    risk 0.50cvss 8.8epss 0.00

    Fleet is open source device management software. Prior to 4.81.0, a SQL injection vulnerability in Fleet's MDM bootstrap package configuration allows an authenticated user with Team Admin or Global Admin privileges to modify arbitrary team configurations, exfiltrate sensitive…

  • CVE-2026-29180HigMar 27, 2026
    risk 0.50cvss 8.8epss 0.00

    Fleet is open source device management software. Prior to 4.81.1, a broken access control vulnerability in Fleet's host transfer API allows a team maintainer to transfer hosts from any team into their own team, bypassing team isolation boundaries. Once transferred, the attacker…

  • CVE-2026-26060HigMar 27, 2026
    risk 0.50cvss 8.8epss 0.00

    Fleet is open source device management software. Prior to 4.81.0, a vulnerability in Fleet’s password management logic could allow previously issued password reset tokens to remain valid after a user changes their password. As a result, a stale password reset token could be…

  • CVE-2026-34385HigMar 27, 2026
    risk 0.46cvss 8.1epss 0.00

    Fleet is open source device management software. Prior to 4.81.0, a second-order SQL injection vulnerability in Fleet's Apple MDM profile delivery pipeline could allow an attacker with a valid MDM enrollment certificate to exfiltrate or modify the contents of the Fleet database,…

  • CVE-2026-27806HigApr 8, 2026
    risk 0.44cvss 7.8epss 0.00

    Fleet is open source device management software. Prior to 4.81.1, the Orbit agent's FileVault disk encryption key rotation flow on collects a local user's password via a GUI dialog and interpolates it directly into a Tcl/expect script executed via exec.Command("expect", "-c",…

  • CVE-2026-46356HigMay 14, 2026
    risk 0.42cvss 7.5epss 0.00

    Fleet is open source device management software. Prior to version 4.80.1, a vulnerability in Fleet's IP extraction logic allows unauthenticated attackers to bypass API rate limiting by spoofing client IP headers. This may allow brute-force login attempts or other abuse against…

  • CVE-2026-24899HigMay 14, 2026
    risk 0.42cvss 7.5epss 0.00

    Fleet is open source device management software. Prior to version 4.82.0, a vulnerability in Fleet's Windows MDM enrollment flow allows authentication tokens from any Azure AD tenant to be accepted. Because Fleet validates JWT signatures using Microsoft's multi-tenant JWKS…

  • CVE-2026-23998HigMay 14, 2026
    risk 0.42cvss 7.5epss 0.00

    Fleet is open source device management software. Prior to version 4.81.0, a vulnerability in Fleet’s Windows MDM management endpoint could allow requests to be processed without proper client certificate validation. In certain circumstances, this could allow an attacker to…

  • CVE-2026-34391HigMar 27, 2026
    risk 0.42cvss 7.5epss 0.00

    Fleet is open source device management software. Prior to 4.81.1, a vulnerability in Fleet's Windows MDM command processing allows a malicious enrolled device to access MDM commands intended for other devices, potentially exposing sensitive configuration data such as WiFi…

  • CVE-2026-34388HigMar 27, 2026
    risk 0.42cvss 7.5epss 0.00

    Fleet is open source device management software. Prior to 4.81.0, a denial-of-service vulnerability in Fleet's gRPC Launcher endpoint allows an authenticated host to crash the entire Fleet server process by sending an unexpected log type value. The server terminates immediately,…

  • CVE-2026-26061HigMar 27, 2026
    risk 0.42cvss 7.5epss 0.00

    Fleet is open source device management software. Prior to 4.81.0, Fleet contained multiple unauthenticated HTTP endpoints that read request bodies without enforcing a size limit. An unauthenticated attacker could exploit this behavior by sending large or repeated HTTP payloads,…

  • CVE-2026-26062MedMay 14, 2026
    risk 0.35cvss 6.5epss 0.00

    Fleet is open source device management software. Prior to version 4.81.0, Fleet contained a denial-of-service (DoS) issue in the gRPC Launcher `PublishLogs` endpoint. In affected versions, certain unexpected input values were not handled gracefully, which could cause the Fleet…

  • CVE-2026-34389MedMar 27, 2026
    risk 0.35cvss 6.5epss 0.00

    Fleet is open source device management software. Prior to 4.81.0, Fleet contained an issue in the user invitation flow where the email address provided during invite acceptance was not validated against the email address associated with the invite. An attacker who obtained a…

  • CVE-2026-24000MedMay 14, 2026
    risk 0.27cvss 5.3epss 0.00

    Fleet is open source device management software. Prior to version 4.80.1, Fleet trusted client-supplied IP address headers when determining the source IP for incoming requests. This allowed authenticated and unauthenticated clients to spoof their apparent IP address and bypass…

  • CVE-2018-19798Mar 2, 2020
    risk 0.01cvss epss 0.03

    Fleetco Fleet Maintenance Management (FMM) 1.2 and earlier allows uploading an arbitrary ".php" file with the application/x-php Content-Type to the accidents_add.php?submit=1 URI, as demonstrated by the value_Images_1 field, which leads to remote command execution on the remote…

  • CVE-2026-46371Jun 12, 2026
    risk 0.00cvss epss 0.00

    ### Summary A vulnerability in Fleet's Apple MDM commands listing endpoint allowed authenticated users with the lowest-privilege Observer role to extract sensitive values from joined database tables — including host enrollment secrets and Apple Push Notification Service…

  • CVE-2026-46370Jun 12, 2026
    risk 0.00cvss epss 0.00

    ### Summary A vulnerability in Fleet's labels host-listing endpoint allowed authenticated users with the lowest-privilege Observer role to extract host enrollment secrets (`node_key`, `orbit_node_key`) through a cursor-based binary search oracle. The endpoint accepted a…