Description
Fleet is open source device management software. In versions prior to 4.80.1, Fleet generated device lock and wipe PINs using a predictable algorithm based solely on the current Unix timestamp. Because no secret key or additional entropy was used, the resulting PIN could potentially be derived if the approximate time the device was locked is known. Fleet’s device lock and wipe commands generate a 6-digit PIN that is displayed to administrators for unlocking a device. In affected versions, this PIN was deterministically derived from the current timestamp. An attacker with physical possession of a locked device and knowledge of the approximate time the lock command was issued could theoretically predict the correct PIN within a limited search window. However, successful exploitation is constrained by multiple factors: Physical access to the device is required, the approximate lock time must be known, the operating system enforces rate limiting on PIN entry attempts, attempts would need to be spread over, and device wipe operations would typically complete before sufficient attempts could be made. As a result, this issue does not allow remote exploitation, fleet-wide compromise, or bypass of Fleet authentication controls. Version 4.80.1 contains a patch. No known workarounds are available.
Published: 2026-02-26
Score: 0.6 Low
EPSS: < 1% Very Low
KEV: No
Impact: Predictable 6-digit PIN for device lock
Action: Patch Immediately
AI Analysis

Impact

Fleet generates a 6‑digit PIN for device lock and wipe using only the current Unix timestamp, with no secret key or additional randomness. The PIN is displayed to administrators and used to unlock the device. Because the algorithm is deterministic, an adversary who knows the approximate time a lock command was issued and has physical access to the device could predict the PIN within a limited search window, potentially bypassing the lock. However, the vulnerability does not allow remote exploitation, fleet‑wide compromise, or compromise of Fleet’s authentication controls.

Affected Systems

The affected product is Fleet, the open‑source device management platform from fleetdm. All versions earlier than 4.80.1 are vulnerable; version 4.80.1 and later contain the fix.

Risk and Exploitability

The CVSS score of 0.6 and an EPSS score of less than one percent indicate a low severity and very limited likelihood of exploitation. The vulnerability requires physical possession of the device, knowledge of the lock time, and the ability to enter PIN guesses before rate limiting or wipe completion prevents further attempts. The issue is not listed in CISA’s KEV catalog.

Generated by OpenCVE AI on April 17, 2026 at 14:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Fleet to version 4.80.1 or later to apply the patch that uses a secure, non‑predictable PIN generation mechanism.
  • If device lock functionality is not essential, disable it to eliminate the risk of PIN prediction.
  • Enforce strict physical security controls for devices to prevent unauthorized access, and monitor for repeated PIN entry attempts or other abnormal access patterns.

Generated by OpenCVE AI on April 17, 2026 at 14:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-ppwx-5jq7-px2w Fleet: Device lock PIN can be predicted if lock time is known
History

Mon, 02 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:fleetdm:fleet:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Fri, 27 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Fleetdm
Fleetdm fleet
Vendors & Products Fleetdm
Fleetdm fleet

Thu, 26 Feb 2026 03:15:00 +0000

Type Values Removed Values Added
Description Fleet is open source device management software. In versions prior to 4.80.1, Fleet generated device lock and wipe PINs using a predictable algorithm based solely on the current Unix timestamp. Because no secret key or additional entropy was used, the resulting PIN could potentially be derived if the approximate time the device was locked is known. Fleet’s device lock and wipe commands generate a 6-digit PIN that is displayed to administrators for unlocking a device. In affected versions, this PIN was deterministically derived from the current timestamp. An attacker with physical possession of a locked device and knowledge of the approximate time the lock command was issued could theoretically predict the correct PIN within a limited search window. However, successful exploitation is constrained by multiple factors: Physical access to the device is required, the approximate lock time must be known, the operating system enforces rate limiting on PIN entry attempts, attempts would need to be spread over, and device wipe operations would typically complete before sufficient attempts could be made. As a result, this issue does not allow remote exploitation, fleet-wide compromise, or bypass of Fleet authentication controls. Version 4.80.1 contains a patch. No known workarounds are available.
Title Fleet: Device lock PIN can be predicted if lock time is known
Weaknesses CWE-330
References
Metrics cvssV4_0

{'score': 0.6, 'vector': 'CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Fleetdm Fleet
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T15:15:55.289Z

Reserved: 2026-01-19T18:49:20.658Z

Link: CVE-2026-23999

cve-icon Vulnrichment

Updated: 2026-02-26T15:15:49.832Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T03:16:04.010

Modified: 2026-03-02T15:47:56.540

Link: CVE-2026-23999

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:30:20Z

Weaknesses