Description
Fleet is open source device management software. Prior to 4.81.0, Fleet contained an issue in the user invitation flow where the email address provided during invite acceptance was not validated against the email address associated with the invite. An attacker who obtained a valid invite token could create an account under an arbitrary email address while inheriting the role granted by the invite, including global admin. Version 4.81.0 patches the issue.
Published: 2026-03-27
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized privileged account creation via invitation
Action: Immediate Patch
AI Analysis

Impact

Fleet’s invitation flow allows an attacker who possesses a valid invitation token to create a new user account under any email address, bypassing the intended match between the token’s pre‑allocated email and the one entered upon acceptance. The resulting account inherits the role specified in the invitation, which may include global administrator rights. This flaw is an authentication bypass that can grant an attacker full control over the Fleet deployment.

Affected Systems

The vulnerability exists in the open‑source Fleet device‑management platform from fleetdm. All releases before version 4.81.0 are affected; upgrading to 4.81.0 or later applies the fix. No other versions are impacted.

Risk and Exploitability

The CVSS base score of 4.9 indicates moderate severity, while the EPSS score of less than 1 % shows low likelihood of widespread exploitation. The issue is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires an attacker to obtain a valid invitation token; the advisory implies that the token may be acquired or guessed, but it does not detail the exact mechanism. Attackers with such a token can create a privileged account and potentially compromise the entire fleet.

Generated by OpenCVE AI on April 2, 2026 at 23:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Fleet to version 4.81.0 or later

Generated by OpenCVE AI on April 2, 2026 at 23:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4f9r-x588-pp2h Fleet's user account creation via invite does not enforce invited email address
History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:fleetdm:fleet:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Mon, 30 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Fleetdm
Fleetdm fleet
Vendors & Products Fleetdm
Fleetdm fleet

Fri, 27 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
Description Fleet is open source device management software. Prior to 4.81.0, Fleet contained an issue in the user invitation flow where the email address provided during invite acceptance was not validated against the email address associated with the invite. An attacker who obtained a valid invite token could create an account under an arbitrary email address while inheriting the role granted by the invite, including global admin. Version 4.81.0 patches the issue.
Title Fleet's user account creation via invite does not enforce invited email address
Weaknesses CWE-287
References
Metrics cvssV4_0

{'score': 4.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Fleetdm Fleet
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-30T19:01:30.519Z

Reserved: 2026-03-27T13:45:29.619Z

Link: CVE-2026-34389

cve-icon Vulnrichment

Updated: 2026-03-30T19:01:26.281Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T20:16:35.957

Modified: 2026-04-02T19:41:09.287

Link: CVE-2026-34389

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:38:35Z

Weaknesses