Description
Fleet is open source device management software. Prior to 4.81.0, a vulnerability in Fleet’s password management logic could allow previously issued password reset tokens to remain valid after a user changes their password. As a result, a stale password reset token could be reused to reset the account password even after a defensive password change. Version 4.81.0 patches the issue.
Published: 2026-03-27
Score: 6 Medium
EPSS: n/a
KEV: No
Impact: Unauthorized Password Reset
Action: Immediate Patch
AI Analysis

Impact

Password reset tokens in Fleet remain valid for 24 hours even after the user changes their password. An attacker who already has a valid token can use it to reset the account password after a user has taken defensive action, effectively bypassing the password change. This vulnerability, classified as CWE‑613, allows unauthorized account takeover and can jeopardize the confidentiality and integrity of the affected user’s account.

Affected Systems

Fleet by fleetdm is the only vendor listed for this issue. The vulnerability exists in all releases prior to 4.81.0. Users running Fleet 4.80.x and earlier are potentially exposed. Versions 4.81.0 and newer contain a fix that invalidates reset tokens immediately upon password change.

Risk and Exploitability

The CVSS score of 6.0 indicates a moderate impact; however, the exploit does not require specialized skills, only a valid token. The EPSS score is not available, and the vulnerability is not currently in CISA’s KEV catalog. The likely attack vector is an attacker with a stale reset token, which may be intercepted via email or other channels. Once the token is used, the attacker can set a new password and gain full control of the account.

Generated by OpenCVE AI on March 27, 2026 at 19:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Fleet to version 4.81.0 or newer.
  • Check the Fleet release notes for additional mitigations if available.
  • If you cannot upgrade immediately, consider enabling multi‑factor authentication and monitoring password reset logs.

Generated by OpenCVE AI on March 27, 2026 at 19:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3458-r943-hmx4 Fleet: Password reset tokens remain valid after password change for 24 hours
History

Fri, 27 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
Description Fleet is open source device management software. Prior to 4.81.0, a vulnerability in Fleet’s password management logic could allow previously issued password reset tokens to remain valid after a user changes their password. As a result, a stale password reset token could be reused to reset the account password even after a defensive password change. Version 4.81.0 patches the issue.
Title Fleet: Password reset tokens remain valid after password change for 24 hours
Weaknesses CWE-613
References
Metrics cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T19:32:38.862Z

Reserved: 2026-02-10T18:01:31.899Z

Link: CVE-2026-26060

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-27T19:16:42.240

Modified: 2026-03-27T19:16:42.240

Link: CVE-2026-26060

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T20:27:46Z

Weaknesses