Description
Fleet is open source device management software. In versions prior to 4.80.1, a vulnerability in Fleet’s configuration API could expose Google Calendar service account credentials to authenticated users with low-privilege roles. This may allow unauthorized access to Google Calendar resources associated with the service account. Fleet returns configuration data through an API endpoint that is accessible to authenticated users, including those with the lowest-privilege “Observer” role. In affected versions, Google Calendar service account credentials were not properly obfuscated before being returned. As a result, a low-privilege user could retrieve the service account’s private key material. Depending on how the Google Calendar integration is configured, this could allow unauthorized access to calendar data or other Google Workspace resources associated with the service account. This issue does not allow escalation of privileges within Fleet or access to device management functionality. Version 4.80.1 patches the issue. If an immediate upgrade is not possible, administrators should remove the Google Calendar integration from Fleet and rotate the affected Google service account credentials.
Published: 2026-02-26
Score: 1.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Exposes Google Calendar service account credentials to low‑privileged users, enabling unauthorized access to Google Workspace resources.
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in Fleet’s configuration API, which returns Google Calendar service account credentials without proper obfuscation. Users authenticated with the lowest‑privileged “Observer” role can retrieve the private key material. This permits an attacker to access Google Calendar data or other Workspace resources tied to the service account, though it does not allow privilege escalation within Fleet itself. The weakness is categorised as CWE‑201, improper control of sensitive data exposure.

Affected Systems

Any installation of Fleet open‑source device management software using Google Calendar integration in versions prior to 4.80.1 is affected. The API endpoint that returns configuration data is accessible to authenticated users with the Observer role. The CVE applies to the fleetdm:fleet product family, as indicated by the CNA and CPE entries.

Risk and Exploitability

With a CVSS score of 1.3, the severity is considered low; an EPSS score of less than 1% indicates a very low likelihood of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. The attack vector is inferred to be via an authenticated API call to a configuration endpoint. Although the impact does not include Fleet privilege escalation, the exposure of service account credentials represents a significant risk to the external Google Workspace environment. Overall, the risk is low but warrants mitigation due to credential leakage.

Generated by OpenCVE AI on April 17, 2026 at 14:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Fleet to version 4.80.1 or later.
  • If immediate upgrade is not possible, remove the Google Calendar integration from Fleet.
  • After removal or upgrade, rotate the credentials of the affected Google service account to invalidate any keys that may have been exposed.

Generated by OpenCVE AI on April 17, 2026 at 14:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2v6m-6xw3-6467 Fleet: Sensitive Google Calendar credentials disclosed to low-privileged users
History

Mon, 02 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:fleetdm:fleet:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Thu, 26 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Fleetdm
Fleetdm fleet
Vendors & Products Fleetdm
Fleetdm fleet

Thu, 26 Feb 2026 03:15:00 +0000

Type Values Removed Values Added
Description Fleet is open source device management software. In versions prior to 4.80.1, a vulnerability in Fleet’s configuration API could expose Google Calendar service account credentials to authenticated users with low-privilege roles. This may allow unauthorized access to Google Calendar resources associated with the service account. Fleet returns configuration data through an API endpoint that is accessible to authenticated users, including those with the lowest-privilege “Observer” role. In affected versions, Google Calendar service account credentials were not properly obfuscated before being returned. As a result, a low-privilege user could retrieve the service account’s private key material. Depending on how the Google Calendar integration is configured, this could allow unauthorized access to calendar data or other Google Workspace resources associated with the service account. This issue does not allow escalation of privileges within Fleet or access to device management functionality. Version 4.80.1 patches the issue. If an immediate upgrade is not possible, administrators should remove the Google Calendar integration from Fleet and rotate the affected Google service account credentials.
Title Fleet: Sensitive Google Calendar credentials disclosed to low-privileged users
Weaknesses CWE-201
References
Metrics cvssV4_0

{'score': 1.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Fleetdm Fleet
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T14:26:24.835Z

Reserved: 2026-02-19T17:25:31.101Z

Link: CVE-2026-27465

cve-icon Vulnrichment

Updated: 2026-02-26T14:26:19.011Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T03:16:04.520

Modified: 2026-03-02T15:48:25.880

Link: CVE-2026-27465

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:30:20Z

Weaknesses