Description
Fleet is open source device management software. Prior to version 4.80.1, Fleet trusted client-supplied IP address headers when determining the source IP for incoming requests. This allowed authenticated and unauthenticated clients to spoof their apparent IP address and bypass per-IP rate limiting controls. Fleet determines a client’s public IP address using HTTP headers such as X-Forwarded-For, X-Real-IP, and/or True-Client-IP. These headers were trusted without validation. An attacker could supply arbitrary values in these headers, causing Fleet to treat each request as originating from a different IP address. This could allow an attacker to bypass per-IP rate limits and increase the effectiveness of brute-force or password-spraying attempts against authentication endpoints. This issue does not allow authentication bypass, privilege escalation, data exposure, or remote code execution on its own. Version 4.80.1 contains a patch. As a workaround, run Fleet behind a trusted reverse proxy or load balancer that overwrites client IP headers.
Published: 2026-05-14
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Fleet trusted client‑supplied IP headers such as X‑Forwarded‑For, X‑Real‑IP and True‑Client‑IP without validation, allowing an attacker to spoof any address and cause Fleet to treat each request as originating from a distinct IP. This flaw enables bypass of per‑IP rate limiting controls and can increase the effectiveness of brute‐force or password‑spraying attacks against authentication endpoints. The vulnerability does not provide authentication bypass, privilege escalation, data exposure, or remote code execution on its own and is marked as CWE‑290.

Affected Systems

The issue affects Fleet open‑source device management software provided by FleetDM. Any Fleet installation using a version earlier than 4.80.1 is vulnerable and relies on untrusted client‑supplied IP headers for source address determination.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity. Because the EPSS score is not available and the flaw is not listed in the CISA KEV catalog, there is no current evidence of widespread exploitation. However, the flaw can be triggered via normal HTTP requests with fabricated headers, meaning an attacker with network access or ability to send arbitrary requests can bypass rate limits and mount more efficient credential‑guessing attacks. The risk is moderate to high, especially in environments with high authentication traffic or where robust rate limiting is essential. The absence of a known exploit does not diminish the importance of applying the available fix.

Generated by OpenCVE AI on May 14, 2026 at 20:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Fleet to version 4.80.1 or newer to apply the public‑IP header validation patch.
  • If an immediate upgrade is not possible, place Fleet behind a trusted reverse proxy or load balancer that overwrites X‑Forwarded‑For, X‑Real‑IP and True‑Client‑IP headers so that Fleet receives the genuine client IP.
  • Review and, if necessary, tighten authentication rate limits and monitor for abnormal authentication attempt patterns to detect bypass attempts early.

Generated by OpenCVE AI on May 14, 2026 at 20:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-j8h8-75h3-jg53 Fleet has a rate limiting bypass via untrusted client IP headers
History

Fri, 15 May 2026 20:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:fleetdm:fleet:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Thu, 14 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Fleetdm
Fleetdm fleet
Vendors & Products Fleetdm
Fleetdm fleet

Thu, 14 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description Fleet is open source device management software. Prior to version 4.80.1, Fleet trusted client-supplied IP address headers when determining the source IP for incoming requests. This allowed authenticated and unauthenticated clients to spoof their apparent IP address and bypass per-IP rate limiting controls. Fleet determines a client’s public IP address using HTTP headers such as X-Forwarded-For, X-Real-IP, and/or True-Client-IP. These headers were trusted without validation. An attacker could supply arbitrary values in these headers, causing Fleet to treat each request as originating from a different IP address. This could allow an attacker to bypass per-IP rate limits and increase the effectiveness of brute-force or password-spraying attempts against authentication endpoints. This issue does not allow authentication bypass, privilege escalation, data exposure, or remote code execution on its own. Version 4.80.1 contains a patch. As a workaround, run Fleet behind a trusted reverse proxy or load balancer that overwrites client IP headers.
Title Fleet has a rate limiting bypass via untrusted client IP headers
Weaknesses CWE-290
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Fleetdm Fleet
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T19:41:20.490Z

Reserved: 2026-01-19T18:49:20.658Z

Link: CVE-2026-24000

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-14T20:17:01.713

Modified: 2026-05-15T20:05:44.217

Link: CVE-2026-24000

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T20:30:04Z

Weaknesses