Description
Fleet is open source device management software. Prior to 4.81.0, Fleet contained an issue in the user invitation flow where the email address provided during invite acceptance was not validated against the email address associated with the invite. An attacker who obtained a valid invite token could create an account under an arbitrary email address while inheriting the role granted by the invite, including global admin. Version 4.81.0 patches the issue.
Published: 2026-03-27
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized privilege escalation
Action: Immediate patch
AI Analysis

Impact

The flaw in Fleet's invitation workflow allows an attacker who has a valid invitation token to create a new user account with any e-mail address. The system does not verify that the e-mail supplied upon acceptance matches the e-mail bound to the invite, so the new account inherits the inviter's role, which can be Global Admin. This creates an Authentication Bypass (CWE-287) that can lead to administrative access to the entire Fleet deployment.

Affected Systems

The vulnerability affects the open-source device‑ platform Fleet, developed by fleetdm. Versions released prior to 4.81.0 are vulnerable. Reducing exposure requires applying the patch that accompanies release 4.81.0 or newer.

Risk and Exploitability

The CVSS score of 4.9 indicates moderate severity. While no EPSS score is available and the vulnerability is not listed in CISA's KEV catalog, exploitation requires a valid invite token, which an adversary may obtain through social engineering or by reusing a captured token. With the token, the attacker can create a fully privileged account, so the risk is significant for environments that issue Global Admin privileges.

Generated by OpenCVE AI on March 27, 2026 at 20:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Fleet 4.81.0 or later to patch the e‑mail validation bug

Generated by OpenCVE AI on March 27, 2026 at 20:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Fleetdm
Fleetdm fleet
Vendors & Products Fleetdm
Fleetdm fleet

Fri, 27 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
Description Fleet is open source device management software. Prior to 4.81.0, Fleet contained an issue in the user invitation flow where the email address provided during invite acceptance was not validated against the email address associated with the invite. An attacker who obtained a valid invite token could create an account under an arbitrary email address while inheriting the role granted by the invite, including global admin. Version 4.81.0 patches the issue.
Title Fleet's user account creation via invite does not enforce invited email address
Weaknesses CWE-287
References
Metrics cvssV4_0

{'score': 4.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Fleetdm Fleet
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T19:18:19.470Z

Reserved: 2026-03-27T13:45:29.619Z

Link: CVE-2026-34389

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-03-27T20:16:35.957

Modified: 2026-03-30T13:26:29.793

Link: CVE-2026-34389

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T07:00:47Z

Weaknesses