VulnerableCode Package Details - pkg:golang/github.com/fleetdm/fleet/v4@4.81.0

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-5zgg-t22h-v3ea	Fleet is open source device management software. Prior to 4.81.0, Fleet contained an issue in the user invitation flow where the email address provided during invite acceptance was not validated against the email address associated with the invite. An attacker who obtained a valid invite token could create an account under an arbitrary email address while inheriting the role granted by the invite, including global admin. Version 4.81.0 patches the issue.	CVE-2026-34389 GHSA-4f9r-x588-pp2h
VCID-82h2-k6ab-ukd7		CVE-2026-26062 GHSA-x67p-9m2r-fxqv
VCID-9xnj-ppp5-t7ea	Fleet is open source device management software. Prior to 4.81.0, a second-order SQL injection vulnerability in Fleet's Apple MDM profile delivery pipeline could allow an attacker with a valid MDM enrollment certificate to exfiltrate or modify the contents of the Fleet database, including user credentials, API tokens, and device enrollment secrets. Version 4.81.0 patches the issue.	CVE-2026-34385 GHSA-v895-833r-8c45
VCID-gx3x-9sm3-vqeu	Fleet is open source device management software. Prior to version 4.81.0, a vulnerability in Fleet’s Windows MDM management endpoint could allow requests to be processed without proper client certificate validation. In certain circumstances, this could allow an attacker to impersonate an enrolled Windows device and retrieve sensitive configuration data. Fleet’s Windows MDM management endpoint relies on mutual TLS (mTLS) client certificates to authenticate enrolled devices. In affected versions, requests that did not present a client certificate could be incorrectly treated as trusted. As a result, an attacker with prior knowledge of a valid enrolled device identifier could potentially impersonate that device and receive configuration payloads intended for it. These payloads may contain sensitive information such as Wi-Fi or VPN configuration data, certificates, or other secrets delivered through MDM profiles. This issue does not allow enrollment of new devices, administrative access to Fleet, or compromise of the Fleet control plane. Impact is limited to the targeted Windows device. Version 4.81.0 contains a patch. If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM.	CVE-2026-23998 GHSA-2rc4-7jc6-qffh
VCID-r1k8-zrdp-2fdz	Fleet is open source device management software. Prior to 4.81.0, a denial-of-service vulnerability in Fleet's gRPC Launcher endpoint allows an authenticated host to crash the entire Fleet server process by sending an unexpected log type value. The server terminates immediately, disrupting all connected hosts, MDM enrollments, and API consumers. Version 4.81.0 patches the issue.	CVE-2026-34388 GHSA-w254-4hp5-7cvv
VCID-vcgq-kv47-8fcf	Fleet is open source device management software. Prior to 4.81.0, a SQL injection vulnerability in Fleet's MDM bootstrap package configuration allows an authenticated user with Team Admin or Global Admin privileges to modify arbitrary team configurations, exfiltrate sensitive data from the Fleet database, and inject arbitrary content into team configs via direct API calls. Version 4.81.0 patches the issue.	CVE-2026-34386 GHSA-9p23-p2m4-2r4m

Vulnerability

Summary

Aliases

VCID-5zgg-t22h-v3ea

Fleet is open source device management software. Prior to 4.81.0, Fleet contained an issue in the user invitation flow where the email address provided during invite acceptance was not validated against the email address associated with the invite. An attacker who obtained a valid invite token could create an account under an arbitrary email address while inheriting the role granted by the invite, including global admin. Version 4.81.0 patches the issue.

CVE-2026-34389
GHSA-4f9r-x588-pp2h

VCID-82h2-k6ab-ukd7

CVE-2026-26062
GHSA-x67p-9m2r-fxqv

VCID-9xnj-ppp5-t7ea

Fleet is open source device management software. Prior to 4.81.0, a second-order SQL injection vulnerability in Fleet's Apple MDM profile delivery pipeline could allow an attacker with a valid MDM enrollment certificate to exfiltrate or modify the contents of the Fleet database, including user credentials, API tokens, and device enrollment secrets. Version 4.81.0 patches the issue.

CVE-2026-34385
GHSA-v895-833r-8c45

VCID-gx3x-9sm3-vqeu

Fleet is open source device management software. Prior to version 4.81.0, a vulnerability in Fleet’s Windows MDM management endpoint could allow requests to be processed without proper client certificate validation. In certain circumstances, this could allow an attacker to impersonate an enrolled Windows device and retrieve sensitive configuration data. Fleet’s Windows MDM management endpoint relies on mutual TLS (mTLS) client certificates to authenticate enrolled devices. In affected versions, requests that did not present a client certificate could be incorrectly treated as trusted. As a result, an attacker with prior knowledge of a valid enrolled device identifier could potentially impersonate that device and receive configuration payloads intended for it. These payloads may contain sensitive information such as Wi-Fi or VPN configuration data, certificates, or other secrets delivered through MDM profiles. This issue does not allow enrollment of new devices, administrative access to Fleet, or compromise of the Fleet control plane. Impact is limited to the targeted Windows device. Version 4.81.0 contains a patch. If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM.

CVE-2026-23998
GHSA-2rc4-7jc6-qffh

VCID-r1k8-zrdp-2fdz

Fleet is open source device management software. Prior to 4.81.0, a denial-of-service vulnerability in Fleet's gRPC Launcher endpoint allows an authenticated host to crash the entire Fleet server process by sending an unexpected log type value. The server terminates immediately, disrupting all connected hosts, MDM enrollments, and API consumers. Version 4.81.0 patches the issue.

CVE-2026-34388
GHSA-w254-4hp5-7cvv

VCID-vcgq-kv47-8fcf

Fleet is open source device management software. Prior to 4.81.0, a SQL injection vulnerability in Fleet's MDM bootstrap package configuration allows an authenticated user with Team Admin or Global Admin privileges to modify arbitrary team configurations, exfiltrate sensitive data from the Fleet database, and inject arbitrary content into team configs via direct API calls. Version 4.81.0 patches the issue.

CVE-2026-34386
GHSA-9p23-p2m4-2r4m

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T07:52:04.152344+00:00	GithubOSV Importer	Fixing	VCID-82h2-k6ab-ukd7	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-x67p-9m2r-fxqv/GHSA-x67p-9m2r-fxqv.json	38.6.0
2026-06-12T07:51:40.867301+00:00	GithubOSV Importer	Fixing	VCID-gx3x-9sm3-vqeu	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-2rc4-7jc6-qffh/GHSA-2rc4-7jc6-qffh.json	38.6.0
2026-06-12T07:50:28.098783+00:00	GithubOSV Importer	Fixing	VCID-5zgg-t22h-v3ea	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-4f9r-x588-pp2h/GHSA-4f9r-x588-pp2h.json	38.6.0
2026-06-12T07:50:26.437103+00:00	GithubOSV Importer	Fixing	VCID-r1k8-zrdp-2fdz	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-w254-4hp5-7cvv/GHSA-w254-4hp5-7cvv.json	38.6.0
2026-06-12T07:50:08.188989+00:00	GithubOSV Importer	Fixing	VCID-9xnj-ppp5-t7ea	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-v895-833r-8c45/GHSA-v895-833r-8c45.json	38.6.0
2026-06-12T07:49:46.834077+00:00	GithubOSV Importer	Fixing	VCID-vcgq-kv47-8fcf	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-9p23-p2m4-2r4m/GHSA-9p23-p2m4-2r4m.json	38.6.0