Description
Fleet is open source device management software. In versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, a vulnerability in Fleet's Windows MDM enrollment flow could allow an attacker to submit forged authentication tokens that are not properly validated. Because JWT signatures were not verified, Fleet could accept attacker-controlled identity claims, enabling enrollment of unauthorized devices under arbitrary Azure AD user identities. Versions 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 fix the issue. If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM.
Published: 2026-01-21
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Device Enrollment
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a JWT signature bypass in Fleet's Windows MDM enrollment flow that allows attackers to submit forged authentication tokens without signature verification. By crafting such tokens, an attacker can cause Fleet to enroll unauthorized devices under arbitrary Azure AD user identities.

Affected Systems

Affected products are Fleet, the open source device management software, in versions 4.53.3, 4.75.2, 4.76.2, 4.77.1, and earlier releases before 4.78.3 (any version containing the unverified JWT logic). Users of these releases are at risk if the Windows MDM feature is enabled.

Risk and Exploitability

The CVSS base score is 9.3, indicating a high severity. The EPSS score is reported as less than 1 % and the vulnerability is not listed in the CISA KEV catalog. Inference indicates that the attack vector is remote, relying on the ability to reach the Windows MDM enrollment endpoint. Exploitation would require an attacker to be able to query this endpoint and provide a forged token, after which Fleet would add the device to the fleet under the claimed Azure AD identity. The likelihood of exploitation at present appears low due to the very low EPSS score, yet the impact remains severe if it were successfully leveraged.

Generated by OpenCVE AI on April 18, 2026 at 15:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Fleet to a fixed release—4.78.3 or newer or the patched 4.77.1, 4.76.2, 4.75.2, or 4.53.3 versions, as provided in the vendor advisory.
  • Until an upgrade is possible, disable the Windows MDM enrollment capability to prevent unauthorized device registration.
  • Monitor device enrollment logs for signs of unauthorized enrollment attempts and investigate any suspicious activity.

Generated by OpenCVE AI on April 18, 2026 at 15:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-63m5-974w-448v Fleet has a JWT signature bypass vulnerability in Azure AD MDM enrollment
History

Fri, 27 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:fleetdm:fleet:*:*:*:*:*:*:*:*
cpe:2.3:a:fleetdm:fleet:4.77.0:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Fleetdm
Fleetdm fleet
Vendors & Products Fleetdm
Fleetdm fleet

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 21 Jan 2026 22:00:00 +0000

Type Values Removed Values Added
Description Fleet is open source device management software. In versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, a vulnerability in Fleet's Windows MDM enrollment flow could allow an attacker to submit forged authentication tokens that are not properly validated. Because JWT signatures were not verified, Fleet could accept attacker-controlled identity claims, enabling enrollment of unauthorized devices under arbitrary Azure AD user identities. Versions 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 fix the issue. If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM.
Title Fleet has a JWT signature bypass vulnerability in Azure AD MDM enrollment
Weaknesses CWE-347
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Fleetdm Fleet
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-22T16:49:50.477Z

Reserved: 2026-01-13T18:22:43.980Z

Link: CVE-2026-23518

cve-icon Vulnrichment

Updated: 2026-01-22T15:13:37.869Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-21T22:15:50.140

Modified: 2026-02-27T16:14:59.390

Link: CVE-2026-23518

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T15:45:04Z

Weaknesses