Description
Fleet is open source device management software. Prior to version 4.81.0, a vulnerability in Fleet’s Windows MDM management endpoint could allow requests to be processed without proper client certificate validation. In certain circumstances, this could allow an attacker to impersonate an enrolled Windows device and retrieve sensitive configuration data. Fleet’s Windows MDM management endpoint relies on mutual TLS (mTLS) client certificates to authenticate enrolled devices. In affected versions, requests that did not present a client certificate could be incorrectly treated as trusted. As a result, an attacker with prior knowledge of a valid enrolled device identifier could potentially impersonate that device and receive configuration payloads intended for it. These payloads may contain sensitive information such as Wi-Fi or VPN configuration data, certificates, or other secrets delivered through MDM profiles. This issue does not allow enrollment of new devices, administrative access to Fleet, or compromise of the Fleet control plane. Impact is limited to the targeted Windows device. Version 4.81.0 contains a patch. If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM.
Published: 2026-05-14
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Fleet’s Windows MDM management endpoint relied on mutual TLS client certificates for authentication. Prior to version 4.81.0, requests that omitted a client certificate were incorrectly granted trust, allowing an attacker who knew a valid enrolled device identifier to impersonate that device and receive configuration payloads such as Wi‑Fi, VPN, certificate or other secret data. The vulnerability does not enable new device enrollment, administrative control of Fleet, or compromise of the control plane; the compromise is limited to disclosure of configuration information for the targeted device.

Affected Systems

The flaw affects the open‑source Fleet device‑management suite from FleetDM, specifically all versions prior to 4.81.0. Users of those releases are potentially exposed if they have a Windows MDM endpoint enabled and can supply a known enrolled device identifier.

Risk and Exploitability

The CVSS score of 8.2 indicates a high‑severity flaw. While no EPSS score is available, the lack of an active KEV listing suggests no widespread exploitation to date; however, the attack requires knowledge of a device identifier and the ability to send an HTTP request to the Fleet MDM endpoint. Attackers with network or privileged access to the Fleet server can exploit the bypass, though they cannot add new devices or gain Fleet administrative access.

Generated by OpenCVE AI on May 14, 2026 at 20:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Fleet to version 4.81.0 or newer to enforce client‑certificate validation at the Windows MDM endpoint.
  • If an upgrade cannot be performed immediately, disable Windows MDM functionality in the Fleet configuration to remove the unprotected endpoint.
  • Restrict network access to the MDM endpoint, applying firewall rules or IP whitelisting, to minimize the opportunity for unauthenticated requests.

Generated by OpenCVE AI on May 14, 2026 at 20:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2rc4-7jc6-qffh Fleet has a Windows MDM management endpoint authentication bypass
History

Fri, 15 May 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:fleetdm:fleet:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Fri, 15 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Fleetdm
Fleetdm fleet
Vendors & Products Fleetdm
Fleetdm fleet

Thu, 14 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description Fleet is open source device management software. Prior to version 4.81.0, a vulnerability in Fleet’s Windows MDM management endpoint could allow requests to be processed without proper client certificate validation. In certain circumstances, this could allow an attacker to impersonate an enrolled Windows device and retrieve sensitive configuration data. Fleet’s Windows MDM management endpoint relies on mutual TLS (mTLS) client certificates to authenticate enrolled devices. In affected versions, requests that did not present a client certificate could be incorrectly treated as trusted. As a result, an attacker with prior knowledge of a valid enrolled device identifier could potentially impersonate that device and receive configuration payloads intended for it. These payloads may contain sensitive information such as Wi-Fi or VPN configuration data, certificates, or other secrets delivered through MDM profiles. This issue does not allow enrollment of new devices, administrative access to Fleet, or compromise of the Fleet control plane. Impact is limited to the targeted Windows device. Version 4.81.0 contains a patch. If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM.
Title Fleet has a Windows MDM management endpoint authentication bypass
Weaknesses CWE-295
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Fleetdm Fleet
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-15T14:12:52.682Z

Reserved: 2026-01-19T18:49:20.658Z

Link: CVE-2026-23998

cve-icon Vulnrichment

Updated: 2026-05-15T14:12:47.323Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-14T19:16:30.983

Modified: 2026-05-15T18:08:13.130

Link: CVE-2026-23998

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T20:30:04Z

Weaknesses