Description
fleetdm/fleet is open source device management software. Prior to versions 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, if Windows MDM is enabled, an unauthenticated attacker can exploit this XSS vulnerability to steal a Fleet administrator's authentication token (FLEET::auth_token) from localStorage. This could allow unauthorized access to Fleet, including administrative access, visibility into device data, and modification of configuration. Versions 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 fix the issue. If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM.
Published: 2026-01-21
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross-site scripting leading to theft of authentication token
Action: Immediate Patch
AI Analysis

Impact

Fleet's open source device management software exposes an XSS flaw that, when Windows MDM is enabled, allows any unauthenticated attacker to inject malicious scripts into the web interface. The attacker can then steal the administrator’s authentication token stored in the browser’s localStorage, gaining full administrative access to the Fleet instance, including visibility into device data and the ability to modify configurations. This severity is reflected by a CWE‑79 labeling of insecure input handling.

Affected Systems

The vulnerability exists in versions prior to 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 of the fleetdm:fleet product. Those installations with Windows MDM enabled are impacted; upgrading to any of the listed patched releases eliminates the risk.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate risk, but the EPSS score of less than 1% shows that this vulnerability is unlikely to be actively exploited at present. The attacker requires no authentication and only needs the ability to load the affected web page; therefore, the attack vector is remote via the web UI. Because the flaw only affects systems with Windows MDM enabled, administrators who have disabled that feature are not exposed. The vulnerability is not currently listed in the CISA KEV catalog, so no known large‑scale exploitation has been reported.

Generated by OpenCVE AI on April 18, 2026 at 04:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Fleet to version 4.78.2 or later
  • If an upgrade is not possible, disable Windows MDM to mitigate the XSS flaw
  • Employ input validation and sanitization on the web UI to prevent future XSS exposures (CWE‑79)

Generated by OpenCVE AI on April 18, 2026 at 04:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gfpw-jgvr-cw4j Fleet Windows MDM endpoint has a Cross-site Scripting vulnerability
History

Wed, 18 Feb 2026 15:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:fleetdm:fleet:*:*:*:*:*:*:*:*
cpe:2.3:a:fleetdm:fleet:4.77.0:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Fleetdm
Fleetdm fleet
Vendors & Products Fleetdm
Fleetdm fleet

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 21 Jan 2026 21:30:00 +0000

Type Values Removed Values Added
Description fleetdm/fleet is open source device management software. Prior to versions 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, if Windows MDM is enabled, an unauthenticated attacker can exploit this XSS vulnerability to steal a Fleet administrator's authentication token (FLEET::auth_token) from localStorage. This could allow unauthorized access to Fleet, including administrative access, visibility into device data, and modification of configuration. Versions 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 fix the issue. If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM.
Title Fleet Windows MDM endpoint has a Cross-site Scripting vulnerability
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H'}

Subscriptions

Fleetdm Fleet
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-22T16:50:28.717Z

Reserved: 2026-01-09T22:50:10.288Z

Link: CVE-2026-22808

cve-icon Vulnrichment

Updated: 2026-01-22T15:09:39.255Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-21T22:15:49.233

Modified: 2026-02-18T15:31:03.587

Link: CVE-2026-22808

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T04:15:05Z

Weaknesses