Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

fleet — Vulnerabilities & Security Advisories 30

All 30 CVE vulnerabilities found in fleet, with AI-generated Chinese analysis, references, and POCs.

This page is a vulnerability aggregation resource for the Fleet platform, focusing on CVE-based weaknesses and security advisories. It compiles reported vulnerabilities affecting Fleet, encompassing remote code execution flaws, authentication bypasses, privilege escalation issues, and configuration weaknesses that have been identified by researchers, disclosed by the vendor, or found during independent security assessments. The data spans from the initial release of the product through the most recent months, ensuring a comprehensive historical view of the security landscape surrounding this fleet management solution. By reviewing this collection, users can track vendor advisory timelines to understand how quickly threats are addressed, gain insight into common vulnerability classes that impact the product’s architecture, and examine the historical trend of security incidents to assess long-term stability. This information supports security teams in prioritizing patching efforts, validating risk assessments, and maintaining compliance with internal security policies. The page does not include speculative or unverified claims, relying instead on confirmed reports and official statements. Access to detailed technical descriptions, affected versions, and remediation steps is provided for each entry where available. This structured approach allows stakeholders to efficiently navigate the complexity of fleet-wide security management and make informed decisions about deployment and update schedules. All data is sourced from publicly available channels and official vendor documentation to ensure accuracy and reliability for enterprise users.

Vendor: Fleet

CVE IDTitleCVSSSeverityPublished
CVE-2026-46356 Fleet: IP spoofing allows bypassing API rate limiting CWE-290--2026-05-14
CVE-2026-26191 Fleet vulnerable to OS command injection in software packages CWE-78--2026-05-14
CVE-2026-26062 Fleet server may terminate unexpectedly when handling certain gRPC requests CWE-20--2026-05-14
CVE-2026-24899 Fleet Windows MDM Azure AD JWT Authentication Bypass CWE-290--2026-05-14
CVE-2026-24000 Fleet has a rate limiting bypass via untrusted client IP headers CWE-290--2026-05-14
CVE-2026-23998 Fleet has a Windows MDM management endpoint authentication bypass CWE-295--2026-05-14
CVE-2026-27806 Fleet Affected by Local Privilege Escalation via Tcl Command Injection in Orbit CWE-78 7.8 High2026-04-08
CVE-2026-34391 Fleet Vulnerable to Windows MDM cross-device command disclosure CWE-488 6.5 -2026-03-27
CVE-2026-34389 Fleet's user account creation via invite does not enforce invited email address CWE-287 8.8 -2026-03-27
CVE-2026-34388 Fleet vulnerable to Denial of Service via unhandled gRPC log type in launcher endpoint CWE-703 6.5 -2026-03-27
CVE-2026-34387 Fleet vulnerable to OS command injection via crafted software package metadata in uninstall scripts CWE-78 7.2 -2026-03-27
CVE-2026-34386 Fleet vulnerable to SQL injection in MDM bootstrap package by authenticated team or global admin CWE-89 6.5 -2026-03-27
CVE-2026-34385 Fleet's Apple MDM profile delivery has second-order SQL injection that can compromise the database CWE-89 8.8 -2026-03-27
CVE-2026-29180 Fleet's team maintainer can transfer hosts from any team via missing source team authorization CWE-862 9.1 -2026-03-27
CVE-2026-26061 Fleet's unbounded request body read allows remote Denial of Service CWE-770 7.5 -2026-03-27
CVE-2026-26060 Fleet: Password reset tokens remain valid after password change for 24 hours CWE-613 7.5 -2026-03-27
CVE-2026-27465 Fleet: Sensitive Google Calendar credentials disclosed to low-privileged users CWE-201 4.3AIMediumAI2026-02-26
CVE-2026-25963 Fleet: Authorization Bypass in certificate template batch deletion for team administrators CWE-863 3.8AILowAI2026-02-26
CVE-2026-23999 Fleet: Device lock PIN can be predicted if lock time is known CWE-330 5.7AIMediumAI2026-02-26
CVE-2026-24004 Fleet: Unauthenticated Android device disenrollment vulnerability via Pub/Sub endpoint CWE-862 8.2AIHighAI2026-02-26
CVE-2026-26186 Fleet has a SQL injection via backtick escape in ORDER BY parameter CWE-89 8.1AIHighAI2026-02-26
CVE-2026-23518 Fleet has a JWT signature bypass vulnerability in Azure AD MDM enrollment CWE-347 9.4AICriticalAI2026-01-21
CVE-2026-23517 Fleet has an Access Control vulnerability in debug/pprof endpoints CWE-862 6.5AIMediumAI2026-01-21
CVE-2026-22808 Fleet Windows MDM endpoint has a Cross-site Scripting vulnerability CWE-79 8.8AIHighAI2026-01-21
CVE-2025-27509 SAML authentication vulnerability due to improper SAML response validation CWE-285 8.8 -2025-03-06
CVE-2022-24841 Improper Authorization in github.com/fleetdm/fleet CWE-284 6.5 Medium2022-04-18
CVE-2022-23600 Limited ability to spoof SAML authentication with missing audience verification CWE-287 5.3 Medium2022-02-04
CVE-2021-21296 Denial-of-service in Fleet CWE-400 2.7 Low2021-02-10
CVE-2020-26276 SAML authentication vulnerability in Fleet CWE-290 10.0 Critical2020-12-17
CVE-2019-1020009 Fleet 信任管理问题漏洞 7.5 -2019-07-29

All 30 known CVE vulnerabilities affecting fleet with full Chinese analysis, references, and POCs where available.