Description
Fleet is open source device management software. Prior to version 4.81.0, Fleet contained a denial-of-service (DoS) issue in the gRPC Launcher `PublishLogs` endpoint. In affected versions, certain unexpected input values were not handled gracefully, which could cause the Fleet server process to terminate while processing an authenticated request from an enrolled Launcher host. An authenticated attacker with access to any enrolled Launcher node key could cause an immediate and complete denial of service by sending a single gRPC request to the `PublishLogs` endpoint. This vulnerability impacts availability only. There is no exposure of sensitive data, no authentication bypass, no privilege escalation, and no integrity impact. Version 4.81.0 contains a patch. If upgrading immediately is not possible, the following mitigations can reduce exposure. Restrict network access to the Fleet gRPC endpoint where feasible (for example, limiting inbound access to known host IP ranges); deploy Fleet behind infrastructure that terminates or filters gRPC traffic if Launcher log ingestion is not required; and/or monitor for repeated Fleet process crashes or unexpected restarts indicating potential exploitation.
Published: 2026-05-14
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the gRPC Launcher “PublishLogs” endpoint of the Fleet open source device management software. This presents a CWE‑20 input validation flaw, as certain unexpected input values are not validated, leading to the Fleet server process terminating when an authenticated request is processed. The crash renders the service unavailable, delivering an immediate and complete denial of service. No data is exposed, authentication is not bypassed, privilege is not escalated, and integrity is not affected.

Affected Systems

The issue affects fleetdm: fleet versions prior to 4.81.0. Updating to version 4.81.0 or later removes the problem.

Risk and Exploitability

With a CVSS score of 8.7, this flaw is considered high severity. The exploit requires an authenticated attacker possessing a Launcher node key, but once that is available, a single gRPC request can crash the server. The EPSS score is < 1%, and the vulnerability is not listed in CISA’s KEV catalog, but the high CVSS indicates a serious risk if the conditions are met.

Generated by OpenCVE AI on May 18, 2026 at 16:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch by upgrading Fleet to version 4.81.0 or later, which fixes the CWE‑20 input validation flaw.
  • Restrict inbound access to the Fleet gRPC endpoint to trusted host IP ranges or networks, and enforce input validation on the endpoint to address the CWE‑20 weakness.
  • If Launcher log ingestion is not needed, configure surrounding infrastructure to terminate or filter gRPC traffic to the Fleet server, ensuring only properly formatted requests reach the service and mitigating the CWE‑20 flaw.
  • Continuously monitor for unexpected Fleet process crashes or restarts and investigate any suspicious activity, as these may indicate attempts to exploit the CWE‑20 vulnerability.

Generated by OpenCVE AI on May 18, 2026 at 16:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-x67p-9m2r-fxqv Fleet server may terminate unexpectedly when handling certain gRPC requests
History

Mon, 18 May 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:fleetdm:fleet:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Thu, 14 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Fleetdm
Fleetdm fleet
Vendors & Products Fleetdm
Fleetdm fleet

Thu, 14 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description Fleet is open source device management software. Prior to version 4.81.0, Fleet contained a denial-of-service (DoS) issue in the gRPC Launcher `PublishLogs` endpoint. In affected versions, certain unexpected input values were not handled gracefully, which could cause the Fleet server process to terminate while processing an authenticated request from an enrolled Launcher host. An authenticated attacker with access to any enrolled Launcher node key could cause an immediate and complete denial of service by sending a single gRPC request to the `PublishLogs` endpoint. This vulnerability impacts availability only. There is no exposure of sensitive data, no authentication bypass, no privilege escalation, and no integrity impact. Version 4.81.0 contains a patch. If upgrading immediately is not possible, the following mitigations can reduce exposure. Restrict network access to the Fleet gRPC endpoint where feasible (for example, limiting inbound access to known host IP ranges); deploy Fleet behind infrastructure that terminates or filters gRPC traffic if Launcher log ingestion is not required; and/or monitor for repeated Fleet process crashes or unexpected restarts indicating potential exploitation.
Title Fleet server may terminate unexpectedly when handling certain gRPC requests
Weaknesses CWE-20
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Fleetdm Fleet
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T19:43:46.038Z

Reserved: 2026-02-10T18:01:31.900Z

Link: CVE-2026-26062

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-14T20:17:02.020

Modified: 2026-05-18T14:09:38.657

Link: CVE-2026-26062

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-18T16:30:05Z

Weaknesses