Description
Fleet is open source device management software. Prior to version 4.80.1, a vulnerability in Fleet's IP extraction logic allows unauthenticated attackers to bypass API rate limiting by spoofing client IP headers. This may allow brute-force login attempts or other abuse against Fleet instances exposed to the public internet. Fleet extracted client IP addresses from request headers (`True-Client-IP`, `X-Real-IP`, `X-Forwarded-For`) without validating that those headers originate from a trusted proxy. The extracted IP is used as the key for rate limiting and IP ban decisions. As a result, an attacker could rotate the value of these headers on each request, causing Fleet to treat each attempt as coming from a different client. This effectively bypasses per-IP rate limits on sensitive endpoints such as the login API, enabling unrestricted brute-force or credential stuffing attacks. This issue primarily affects Fleet instances that are directly exposed to the internet without a reverse proxy that overwrites forwarded-IP headers. Instances behind a properly configured proxy or WAF are less affected. Version 4.80.1 contains a patch. If an immediate upgrade is not possible, administrators should ensure Fleet is deployed behind a reverse proxy (e.g., nginx, Cloudflare, AWS ALB) that overwrites `X-Forwarded-For` with the true client IP, and apply rate limiting at the proxy or WAF layer.
Published: 2026-05-14
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Fleet’s IP extraction logic interprets the headers True‑Client‑IP, X‑Real‑IP, and X‑Forwarded‑For as trusted client addresses without verifying their origin. An unauthenticated attacker can craft requests that rotate these headers, causing Fleet to assign each request a different perceived IP. The rate‑limiting mechanism relies on the extracted IP to throttle repeated requests, so this manipulation allows an attacker to circumvent per‑IP limits on sensitive endpoints such as the login API, effectively creating an open channel for brute‑force attempts. The vulnerability does not immediately expose data or alter state; its primary consequence is facilitating credential theft or account compromise through automated attack streams.

Affected Systems

The flaw exists in all versions of fleetdm/fleet earlier than 4.80.1. Instances exposed directly to the public internet without a trusted, reversing proxy are affected. Those configured behind a correctly set reverse proxy or Web Application Firewall that rewrites or rejects forwarded‑IP headers are less impacted.

Risk and Exploitability

With a CVSS score of 6.9, the security impact is moderate; the EPSS score is unavailable, but the lack of a KEV listing suggests that known exploits are not widespread in the wild. The vulnerability is exploitable over the public network when an instance is exposed without additional filtering or a reverse proxy. An attacker only needs to send crafted HTTP requests with rotating IP headers, a technique that is straightforward to automate. The consequence is potentially unlimited credential‑guessing or credential‑stuffing on sensitive Fleet endpoints. Given these conditions, admins should address this issue promptly, especially for publicly exposed deployments.

Generated by OpenCVE AI on May 14, 2026 at 20:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update fleetdm/fleet to version 4.80.1 or later, which contains code that validates the provenance of IP‑related headers.
  • If an immediate upgrade is not possible, deploy Fleet behind a reverse proxy or WAF that overwrites X‑Forwarded‑For and similar headers with the true client IP, and enforce rate limiting at the proxy or WAF level.
  • As a supplemental measure, configure Fleet (or the reverse proxy firewalls) to reject or strip unauthenticated requests that set or modify the True‑Client‑IP, X‑Real‑IP, or X‑Forwarded‑For headers when no trusted proxy is present.

Generated by OpenCVE AI on May 14, 2026 at 20:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mxmp-wr3w-rvqx Fleet: IP spoofing allows bypassing API rate limiting
History

Thu, 14 May 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Fleetdm
Fleetdm fleet
Vendors & Products Fleetdm
Fleetdm fleet

Thu, 14 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description Fleet is open source device management software. Prior to version 4.80.1, a vulnerability in Fleet's IP extraction logic allows unauthenticated attackers to bypass API rate limiting by spoofing client IP headers. This may allow brute-force login attempts or other abuse against Fleet instances exposed to the public internet. Fleet extracted client IP addresses from request headers (`True-Client-IP`, `X-Real-IP`, `X-Forwarded-For`) without validating that those headers originate from a trusted proxy. The extracted IP is used as the key for rate limiting and IP ban decisions. As a result, an attacker could rotate the value of these headers on each request, causing Fleet to treat each attempt as coming from a different client. This effectively bypasses per-IP rate limits on sensitive endpoints such as the login API, enabling unrestricted brute-force or credential stuffing attacks. This issue primarily affects Fleet instances that are directly exposed to the internet without a reverse proxy that overwrites forwarded-IP headers. Instances behind a properly configured proxy or WAF are less affected. Version 4.80.1 contains a patch. If an immediate upgrade is not possible, administrators should ensure Fleet is deployed behind a reverse proxy (e.g., nginx, Cloudflare, AWS ALB) that overwrites `X-Forwarded-For` with the true client IP, and apply rate limiting at the proxy or WAF layer.
Title Fleet: IP spoofing allows bypassing API rate limiting
Weaknesses CWE-290
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Fleetdm Fleet
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T19:39:08.867Z

Reserved: 2026-05-13T18:37:30.991Z

Link: CVE-2026-46356

cve-icon Vulnrichment

Updated: 2026-05-14T19:39:01.368Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-14T20:17:09.540

Modified: 2026-05-14T21:24:23.440

Link: CVE-2026-46356

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T20:45:28Z

Weaknesses