Description
Fleet is open source device management software. In versions prior to 4.80.1, a vulnerability in Fleet’s Android MDM Pub/Sub handling could allow unauthenticated requests to trigger device unenrollment events. This may result in unauthorized removal of individual Android devices from Fleet management. If Android MDM is enabled, an attacker could send a crafted request to the Android Pub/Sub endpoint to unenroll a targeted Android device from Fleet without authentication. This issue does not grant access to Fleet, allow execution of commands, or provide visibility into device data. Impact is limited to disruption of Android device management for the affected device. Version 4.80.1 fixes the issue. If an immediate upgrade is not possible, affected Fleet users should temporarily disable Android MDM.
Published: 2026-02-26
Score: 1.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Android device disenrollment
Action: Patch
AI Analysis

Impact

Fleet, an open‑source device management platform, contained a flaw in its Android Mobile Device Management Pub/Sub handling that allows an unauthenticated attacker to trigger a device unenrollment event. The vulnerability does not grant access to Fleet, execution of commands, or visibility into device data, but it can remove a target Android device from management, disrupting its administration and any remote policies applied to it.

Affected Systems

The issue applies to the fleetdm fleet product in all versions older than 4.80.1. Android devices managed through Fleet’s MDM feature are the relevant scope. Versions 4.80.1 and newer contain the fix.

Risk and Exploitability

The CVSS score of 1.7 and an EPSS score less than 1 % indicate a low threat level and a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires no authentication or privilege and simply causes a single managed device to be removed from administration, offering no broader system compromise.

Generated by OpenCVE AI on April 17, 2026 at 14:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Fleet to version 4.80.1 or later to eliminate the flaw
  • If an upgrade is not immediately possible, disable the Android MDM feature in Fleet to block further unenrollment attempts
  • Monitor Fleet logs for unexpected unenrollment events and verify no additional Pub/Sub endpoints are reachable by unauthenticated actors

Generated by OpenCVE AI on April 17, 2026 at 14:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9pm7-6g36-6j78 Fleet: Unauthenticated Android device disenrollment vulnerability via Pub/Sub endpoint
History

Mon, 02 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:fleetdm:fleet:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Thu, 26 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Fleetdm
Fleetdm fleet
Vendors & Products Fleetdm
Fleetdm fleet

Thu, 26 Feb 2026 03:15:00 +0000

Type Values Removed Values Added
Description Fleet is open source device management software. In versions prior to 4.80.1, a vulnerability in Fleet’s Android MDM Pub/Sub handling could allow unauthenticated requests to trigger device unenrollment events. This may result in unauthorized removal of individual Android devices from Fleet management. If Android MDM is enabled, an attacker could send a crafted request to the Android Pub/Sub endpoint to unenroll a targeted Android device from Fleet without authentication. This issue does not grant access to Fleet, allow execution of commands, or provide visibility into device data. Impact is limited to disruption of Android device management for the affected device. Version 4.80.1 fixes the issue. If an immediate upgrade is not possible, affected Fleet users should temporarily disable Android MDM.
Title Fleet: Unauthenticated Android device disenrollment vulnerability via Pub/Sub endpoint
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 1.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:U'}

Subscriptions

Fleetdm Fleet
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T14:33:57.282Z

Reserved: 2026-01-19T18:49:20.659Z

Link: CVE-2026-24004

cve-icon Vulnrichment

Updated: 2026-02-26T14:33:47.683Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T03:16:04.183

Modified: 2026-03-02T15:49:08.590

Link: CVE-2026-24004

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:30:20Z

Weaknesses