Description
Fleet is open source device management software. Prior to 4.81.0, Fleet contained multiple unauthenticated HTTP endpoints that read request bodies without enforcing a size limit. An unauthenticated attacker could exploit this behavior by sending large or repeated HTTP payloads, causing excessive memory allocation and resulting in a denial-of-service (DoS) condition. Version 4.81.0 patches the issue.
Published: 2026-03-27
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service due to unbounded request body read on unauthenticated endpoints
Action: Patch Immediately
AI Analysis

Impact

This vulnerability in the open source Fleet Device Management software allows an attacker to send arbitrarily large or repeated request bodies to unauthenticated HTTP endpoints. Because the application does not enforce a size limit when reading the request body, the process may allocate excessive memory, eventually exhausting resources and causing the service to become unresponsive. The flaw is classified as CWE-770: Uncontrolled Resource Consumption.

Affected Systems

All versions of the Fleet product before 4.81.0 are affected. The issue applies to the default configuration where the vulnerable endpoints are publicly accessible without authentication. The public advisory reports that sending large or multiple payloads can trigger a denial‑of‑service condition.

Risk and Exploitability

The CVSS score is 8.7, indicating high severity, while the EPSS score is below 1%, suggesting that exploitation is not yet widespread. The vulnerability is not listed in the CISA KEV catalog, so no active exploits are known. Attackers can remotely send oversized payloads without authentication, making the attack straightforward. Although the exploitation probability is low, the impact of a successful denial‑of service could disrupt device management operations in critical environments.

Generated by OpenCVE AI on March 31, 2026 at 20:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Fleet to version 4.81.0 or later to apply the fixed request‑size enforcement.
  • If the upgrade cannot be performed immediately, configure a reverse proxy or load balancer to limit the size of incoming HTTP requests to a reasonable threshold.
  • Disable or remove any unauthenticated HTTP endpoints that are still exposed, if possible.
  • Monitor the Fleet logs for unusually large payloads and monitor resource usage after deployment.

Generated by OpenCVE AI on March 31, 2026 at 20:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-99hj-44vg-hfcp Fleet's unbounded request body read allows remote Denial of Service
History

Tue, 31 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:fleetdm:fleet:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Tue, 31 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Fleetdm
Fleetdm fleet
Vendors & Products Fleetdm
Fleetdm fleet

Fri, 27 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
Description Fleet is open source device management software. Prior to 4.81.0, Fleet contained multiple unauthenticated HTTP endpoints that read request bodies without enforcing a size limit. An unauthenticated attacker could exploit this behavior by sending large or repeated HTTP payloads, causing excessive memory allocation and resulting in a denial-of-service (DoS) condition. Version 4.81.0 patches the issue.
Title Fleet's unbounded request body read allows remote Denial of Service
Weaknesses CWE-770
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Fleetdm Fleet
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T13:38:29.843Z

Reserved: 2026-02-10T18:01:31.900Z

Link: CVE-2026-26061

cve-icon Vulnrichment

Updated: 2026-03-31T13:38:08.960Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T19:16:42.410

Modified: 2026-03-31T18:51:33.887

Link: CVE-2026-26061

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:55:28Z

Weaknesses