Description
Fleet is open source device management software. Prior to 4.81.0, a denial-of-service vulnerability in Fleet's gRPC Launcher endpoint allows an authenticated host to crash the entire Fleet server process by sending an unexpected log type value. The server terminates immediately, disrupting all connected hosts, MDM enrollments, and API consumers. Version 4.81.0 patches the issue.
Published: 2026-03-27
Score: 6.6 Medium
EPSS: n/a
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

A logic error in Fleet 4.80 or earlier allows an authenticated host to trigger a crash by sending an unexpected log type to the gRPC Launcher endpoint. When the server receives this malformed request it terminates immediately, causing a full denial‑of‑service that disconnects all connected hosts, disrupts mobile device management enrollments, and breaks API consumers. The flaw is a classic unhandled exception condition, categorized as CWE‑703.

Affected Systems

The vulnerability affects the fleetdm Fleet open source device‑management platform. Versions earlier than 4.81.0 are vulnerable; version 4.81.0 and newer contain the fix.

Risk and Exploitability

With a CVSS score of 6.6 the flaw has moderate severity. No EPSS score is available and it is not listed in the CISA KEV catalog, suggesting limited public exploitation data. The flaw requires a host already authenticated to the Fleet server, so an attacker must first gain local or network access to an enrolled host to send the malicious gRPC payload. Once achieved, the crash can be triggered with a single request.

Generated by OpenCVE AI on March 27, 2026 at 20:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify the Fleet deployment version; ensure it is 4.81.0 or later.
  • If on a vulnerable version, upgrade immediately to 4.81.0 or the latest release.
  • Restart the Fleet server after the upgrade to apply the patch.
  • Monitor server logs for unexpected crashes as a sanity check.

Generated by OpenCVE AI on March 27, 2026 at 20:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description Fleet is open source device management software. Prior to 4.81.0, a denial-of-service vulnerability in Fleet's gRPC Launcher endpoint allows an authenticated host to crash the entire Fleet server process by sending an unexpected log type value. The server terminates immediately, disrupting all connected hosts, MDM enrollments, and API consumers. Version 4.81.0 patches the issue.
Title Fleet vulnerable to Denial of Service via unhandled gRPC log type in launcher endpoint
Weaknesses CWE-703
References
Metrics cvssV4_0

{'score': 6.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T19:13:00.388Z

Reserved: 2026-03-27T13:45:29.619Z

Link: CVE-2026-34388

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-27T20:16:35.800

Modified: 2026-03-27T20:16:35.800

Link: CVE-2026-34388

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T20:27:39Z

Weaknesses