Description
Fleet is open source device management software. Prior to version 4.82.0, a vulnerability in Fleet's Windows MDM enrollment flow allows authentication tokens from any Azure AD tenant to be accepted. Because Fleet validates JWT signatures using Microsoft's multi-tenant JWKS endpoint but does not enforce the `aud` (audience) or `iss` (issuer) claims, any Microsoft-signed Azure AD access token containing the expected scopes can be used to authenticate to Fleet's MDM endpoints. If Windows MDM is enabled, an attacker with access to any Azure AD tenant can obtain a valid Microsoft-signed token and use it to enroll unauthorized devices and interact with Fleet's MDM management APIs. During device management, Fleet may expose sensitive enrollment secrets embedded in MDM command payloads, enabling further unauthorized access. Version 4.82.0 contains a patch. If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM.
Published: 2026-05-14
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Fleet's Windows MDM enrollment process validates Azure AD signed JWTs but fails to check the aud and iss claims. This allows an attacker who can obtain any valid Microsoft Azure AD token with the required scopes to authenticate to Fleet's MDM endpoints. The attacker can enroll unauthorized devices and invoke MDM APIs, potentially exposing sensitive enrollment secrets embedded in command payloads.

Affected Systems

All iterations of Fleet before version 4.82.0 running Windows devices with Windows MDM enabled. Fleet v4.81.0 and earlier are vulnerable. The fix was released with version 4.82.0.

Risk and Exploitability

The CVSS score of 8.2 indicates a high severity, and the vulnerability is exploitable remotely over the network by anyone who can obtain a suitable Azure AD token. Because the EPSS score is not available and the vulnerability is not in the KEV catalog, the exploitation probability cannot be precisely quantified, but the attack surface is significant as the validation logic is present on the server side. An attacker with access to any Azure AD tenant can perform the exploit without additional privileges.

Generated by OpenCVE AI on May 14, 2026 at 20:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Fleet to version 4.82.0 or later to apply the vendor patch.
  • If an immediate upgrade is not possible, disable Windows MDM for all Fleet‑managed devices to prevent unauthorized enrollment.
  • After restoring services, review your Azure AD tenant's token permissions and ensure only authorized clients can request tokens with the required scopes.

Generated by OpenCVE AI on May 14, 2026 at 20:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-ffg9-j72f-j6xm Fleet Windows MDM Azure AD JWT Authentication Bypass
History

Thu, 14 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Fleetdm
Fleetdm fleet
Vendors & Products Fleetdm
Fleetdm fleet

Thu, 14 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description Fleet is open source device management software. Prior to version 4.82.0, a vulnerability in Fleet's Windows MDM enrollment flow allows authentication tokens from any Azure AD tenant to be accepted. Because Fleet validates JWT signatures using Microsoft's multi-tenant JWKS endpoint but does not enforce the `aud` (audience) or `iss` (issuer) claims, any Microsoft-signed Azure AD access token containing the expected scopes can be used to authenticate to Fleet's MDM endpoints. If Windows MDM is enabled, an attacker with access to any Azure AD tenant can obtain a valid Microsoft-signed token and use it to enroll unauthorized devices and interact with Fleet's MDM management APIs. During device management, Fleet may expose sensitive enrollment secrets embedded in MDM command payloads, enabling further unauthorized access. Version 4.82.0 contains a patch. If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM.
Title Fleet Windows MDM Azure AD JWT Authentication Bypass
Weaknesses CWE-290
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Fleetdm Fleet
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T18:58:26.550Z

Reserved: 2026-01-27T19:35:20.529Z

Link: CVE-2026-24899

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-14T20:17:01.873

Modified: 2026-05-14T21:24:23.440

Link: CVE-2026-24899

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T20:30:04Z

Weaknesses