Description
Fleet is open source device management software. In versions prior to 4.80.1, a broken authorization check in Fleet’s certificate template deletion API could allow a team administrator to delete certificate templates belonging to other teams within the same Fleet instance. Fleet supports certificate templates that are scoped to individual teams. In affected versions, the batch deletion endpoint validated authorization using a user-supplied team identifier but did not verify that the certificate template IDs being deleted actually belonged to that team. As a result, a team administrator could delete certificate templates associated with other teams, potentially disrupting certificate-based workflows such as device enrollment, Wi-Fi authentication, VPN access, or other certificate-dependent configurations for the affected teams. This issue does not allow privilege escalation, access to sensitive data, or compromise of Fleet’s control plane. Impact is limited to integrity and availability of certificate templates across teams. Version 4.80.1 patches the issue. If an immediate upgrade is not possible, administrators should restrict access to certificate template management to trusted users and avoid delegating team administrator permissions where not strictly required.
Published: 2026-02-26
Score: 1.2 Low
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized deletion of certificate templates across teams
Action: Apply patch
AI Analysis

Impact

Fleet, an open‑source device‑management platform, contained a broken authorization check in its certificate‑template deletion API. The check validated a user‑supplied team identifier but did not verify that the template IDs to be deleted actually belonged to that team. As a result, a team administrator could delete certificate templates owned by other teams within the same Fleet instance. This loss of integrity could disrupt certificate‑based workflows such as device enrollment, Wi‑Fi or VPN authentication, resulting in downtime or forced re‑enrollment for affected teams.

Affected Systems

The vulnerability affected all Fleet installations running a version older than 4.80.1. The affected product is the Fleet application provided by fleetdm. Version 4.80.1 or later contains the fix.

Risk and Exploitability

The CVSS score of 1.2 reflects the low severity, and the EPSS score of <1% indicates a very low probability of exploitation. The vulnerability does not provide privilege escalation or data theft; the attacker must already have team‑administrator rights and exploit the batch‑deletion endpoint. Since the attack vector is through the internal API, the risk to the broader Fleet infrastructure is limited to integrity and availability of certificate templates, and it is not listed in the CISA Known‑Exploited Vulnerabilities catalog.

Generated by OpenCVE AI on April 17, 2026 at 14:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Fleet to version 4.80.1 or later to apply the official fix.
  • If an immediate upgrade is not possible, restrict certificate template management to trusted administrators and avoid delegating team‑administrator permissions where not strictly required.
  • Configure the system to enforce ownership checks on template deletion or disable the batch‑deletion endpoint until the ownership validation is corrected.

Generated by OpenCVE AI on April 17, 2026 at 14:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5jvp-m9h4-253h Fleet: Authorization Bypass in certificate template batch deletion for team administrators
History

Fri, 27 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:fleetdm:fleet:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H'}

Thu, 26 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Fleetdm
Fleetdm fleet
Vendors & Products Fleetdm
Fleetdm fleet

Thu, 26 Feb 2026 03:15:00 +0000

Type Values Removed Values Added
Description Fleet is open source device management software. In versions prior to 4.80.1, a broken authorization check in Fleet’s certificate template deletion API could allow a team administrator to delete certificate templates belonging to other teams within the same Fleet instance. Fleet supports certificate templates that are scoped to individual teams. In affected versions, the batch deletion endpoint validated authorization using a user-supplied team identifier but did not verify that the certificate template IDs being deleted actually belonged to that team. As a result, a team administrator could delete certificate templates associated with other teams, potentially disrupting certificate-based workflows such as device enrollment, Wi-Fi authentication, VPN access, or other certificate-dependent configurations for the affected teams. This issue does not allow privilege escalation, access to sensitive data, or compromise of Fleet’s control plane. Impact is limited to integrity and availability of certificate templates across teams. Version 4.80.1 patches the issue. If an immediate upgrade is not possible, administrators should restrict access to certificate template management to trusted users and avoid delegating team administrator permissions where not strictly required.
Title Fleet: Authorization Bypass in certificate template batch deletion for team administrators
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 1.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Fleetdm Fleet
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T14:27:10.738Z

Reserved: 2026-02-09T17:13:54.066Z

Link: CVE-2026-25963

cve-icon Vulnrichment

Updated: 2026-02-26T14:27:03.784Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T03:16:04.350

Modified: 2026-02-27T16:05:58.370

Link: CVE-2026-25963

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:30:20Z

Weaknesses