Description
Fleet is open source device management software. A broken access control issue in versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 allowed authenticated users to access debug and profiling endpoints regardless of role. As a result, low-privilege users could view internal server diagnostics and trigger resource-intensive profiling operations. Fleet’s debug/pprof endpoints are accessible to any authenticated user regardless of role, including the lowest-privilege “Observer” role. This allows low-privilege users to access sensitive server internals, including runtime profiling data and in-memory application state, and to trigger CPU-intensive profiling operations that could lead to denial of service. Versions 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 fix the issue. If an immediate upgrade is not possible, users should put the debug/pprof endpoints behind an IP allowlist as a workaround.
Published: 2026-01-21
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access to debug/profiling endpoints exposing server diagnostics and enabling CPU‑intensive profiling leading to potential denial of service
Action: Apply Patch
AI Analysis

Impact

A broken access control flaw in the fleetdm Fleet application allows any authenticated user, including those with the lowest Observer role, to reach the debug and pprof endpoints. This can expose internal server diagnostics, runtime profiling data, and in‑memory application state. Because the endpoints support CPU‑heavy profiling operations, a malicious user could trigger denial of service by exhausting server resources.

Affected Systems

Fleetdm Fleet versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 are affected. The vulnerability exists in the open‑source Fleet device management software, handling authentication but lacking role checks for the exposed endpoints.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity, while the EPSS score of less than 1% suggests a low exploitation probability at the time of this assessment. The vulnerability is not listed in the CISA KEV catalog. An attacker must have valid credentials and network access to the Fleet instance; the flaw is exploitable from anywhere the application is reachable. Successful exploitation enables data exposure and can lead to service degradation through repeated profiling calls.

Generated by OpenCVE AI on April 18, 2026 at 04:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Fleet to version 4.78.3 or newer, which includes the fix for this issue
  • If an upgrade cannot be performed immediately, place the debug/pprof endpoints behind an IP allowlist to restrict access to trusted administrators
  • Disable the debug/pprof endpoints in production environments where they are not required for normal operation

Generated by OpenCVE AI on April 18, 2026 at 04:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4r5r-ccr6-q6f6 Fleet has an Access Control vulnerability in debug/pprof endpoints
History

Fri, 27 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:fleetdm:fleet:*:*:*:*:*:*:*:*
cpe:2.3:a:fleetdm:fleet:4.77.0:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Fleetdm
Fleetdm fleet
Vendors & Products Fleetdm
Fleetdm fleet

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 21 Jan 2026 22:00:00 +0000

Type Values Removed Values Added
Description Fleet is open source device management software. A broken access control issue in versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 allowed authenticated users to access debug and profiling endpoints regardless of role. As a result, low-privilege users could view internal server diagnostics and trigger resource-intensive profiling operations. Fleet’s debug/pprof endpoints are accessible to any authenticated user regardless of role, including the lowest-privilege “Observer” role. This allows low-privilege users to access sensitive server internals, including runtime profiling data and in-memory application state, and to trigger CPU-intensive profiling operations that could lead to denial of service. Versions 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 fix the issue. If an immediate upgrade is not possible, users should put the debug/pprof endpoints behind an IP allowlist as a workaround.
Title Fleet has an Access Control vulnerability in debug/pprof endpoints
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Fleetdm Fleet
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-22T16:49:56.246Z

Reserved: 2026-01-13T18:22:43.979Z

Link: CVE-2026-23517

cve-icon Vulnrichment

Updated: 2026-01-22T15:10:56.685Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-21T22:15:49.997

Modified: 2026-02-27T16:16:14.830

Link: CVE-2026-23517

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T04:15:05Z

Weaknesses