Description
Fleet is open source device management software. Prior to 4.81.0, a denial-of-service vulnerability in Fleet's gRPC Launcher endpoint allows an authenticated host to crash the entire Fleet server process by sending an unexpected log type value. The server terminates immediately, disrupting all connected hosts, MDM enrollments, and API consumers. Version 4.81.0 patches the issue.
Published: 2026-03-27
Score: 6.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

Fleet, an open source device‑management platform, contains a denial‑of‑service vulnerability in its gRPC Launcher endpoint. An attacker who can authenticate as a host can send a log message with an unexpected log type, causing the server to crash instantly. The crash destroys all active connections, halting host communication, MDM enrolments, and API availability, which can disrupt large fleets and render management interfaces unusable.

Affected Systems

The vulnerability affects the Fleet application from the fleetdm vendor. Versions prior to 4.81.0 are impacted. Users running any 4.x build before the 4.81.0 release are exposed; this includes the open source community edition and any supported distributions that have not yet been updated.

Risk and Exploitability

The reported CVSS score of 6.6 indicates moderate severity, and the very low EPSS score (<1%) suggests the likelihood of exploitation is currently small. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog. Exploitation requires an authenticated host, so an attacker who compromises a fleet host or elevates privileges could trigger the crash. Because the crash terminates the Fleet server process outright, the impact is immediate and wide‑spread denial of service for all connected clients until the process is restarted.

Generated by OpenCVE AI on April 2, 2026 at 22:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply patch version 4.81.0 or newer.
  • Verify that no unpatched 4.x Fleet instances remain in production environments.

Generated by OpenCVE AI on April 2, 2026 at 22:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w254-4hp5-7cvv Fleet vulnerable to Denial of Service via unhandled gRPC log type in launcher endpoint
History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:fleetdm:fleet:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Tue, 31 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Fleetdm
Fleetdm fleet
Vendors & Products Fleetdm
Fleetdm fleet

Fri, 27 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description Fleet is open source device management software. Prior to 4.81.0, a denial-of-service vulnerability in Fleet's gRPC Launcher endpoint allows an authenticated host to crash the entire Fleet server process by sending an unexpected log type value. The server terminates immediately, disrupting all connected hosts, MDM enrollments, and API consumers. Version 4.81.0 patches the issue.
Title Fleet vulnerable to Denial of Service via unhandled gRPC log type in launcher endpoint
Weaknesses CWE-703
References
Metrics cvssV4_0

{'score': 6.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Fleetdm Fleet
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T13:44:23.562Z

Reserved: 2026-03-27T13:45:29.619Z

Link: CVE-2026-34388

cve-icon Vulnrichment

Updated: 2026-03-31T13:44:11.047Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T20:16:35.800

Modified: 2026-04-02T19:34:17.003

Link: CVE-2026-34388

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:38:36Z

Weaknesses