Description
Fleet is open source device management software. Prior to 4.81.0, a vulnerability in Fleet’s password management logic could allow previously issued password reset tokens to remain valid after a user changes their password. As a result, a stale password reset token could be reused to reset the account password even after a defensive password change. Version 4.81.0 patches the issue.
Published: 2026-03-27
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized password reset leading to account takeover
Action: Immediate Patch
AI Analysis

Impact

The vulnerability stems from a flaw in Fleet's password reset mechanism that allows a password reset token, once issued, to remain valid for 24 hours even after the account holder changes their password. This failure to invalidate stale tokens means that anyone in possession of a previously issued token can use it to reset the account password to any value they choose, effectively bypassing the recent password change. The weakness is classified as CWE‑613, an exception handling failure. The result is a loss of account integrity and the potential for complete account takeover, though it does not directly compromise other data or system availability.

Affected Systems

The issue affects the open‑source Fleet device‑management platform provided by FleetDM. Versions of Fleet prior to 4.81.0 are vulnerable; Fleet 4.81.0 and later contain the fix.

Risk and Exploitability

The CVSS score of 6 indicates a medium severity vulnerability, and the EPSS score of less than 1 percent suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires possession of a valid, but stale, password reset token. The likely attack vector is remote, as the token can be used over the network once obtained, perhaps via phishing or a prior breach. Once the token is in hand, the attacker can reset the password without additional authentication, leading to full control over the affected account.

Generated by OpenCVE AI on March 31, 2026 at 17:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Fleet to version 4.81.0 or newer to apply the patch that invalidates stale reset tokens.
  • If upgrading is not immediately feasible, revoke all existing password reset tokens through the administrator interface and enforce a new password change for affected accounts.
  • Verify that no tokens issued before the upgrade remain active and monitor authentication logs for unexpected password reset attempts.

Generated by OpenCVE AI on March 31, 2026 at 17:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3458-r943-hmx4 Fleet: Password reset tokens remain valid after password change for 24 hours
History

Tue, 31 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:fleetdm:fleet:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Fleetdm
Fleetdm fleet
Vendors & Products Fleetdm
Fleetdm fleet

Sat, 28 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
Description Fleet is open source device management software. Prior to 4.81.0, a vulnerability in Fleet’s password management logic could allow previously issued password reset tokens to remain valid after a user changes their password. As a result, a stale password reset token could be reused to reset the account password even after a defensive password change. Version 4.81.0 patches the issue.
Title Fleet: Password reset tokens remain valid after password change for 24 hours
Weaknesses CWE-613
References
Metrics cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Fleetdm Fleet
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T19:32:38.862Z

Reserved: 2026-02-10T18:01:31.899Z

Link: CVE-2026-26060

cve-icon Vulnrichment

Updated: 2026-03-27T19:32:33.220Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T19:16:42.240

Modified: 2026-03-31T16:23:48.100

Link: CVE-2026-26060

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:00:53Z

Weaknesses