{"id":4035124,"name":"github.com/fleetdm/fleet/v4","ecosystem":"go","description":"","homepage":"https://github.com/fleetdm/fleet","licenses":"UNKNOWN","normalized_licenses":["Other"],"repository_url":"https://github.com/fleetdm/fleet","keywords_array":[],"namespace":"github.com/fleetdm/fleet","versions_count":48,"first_release_published_at":"2022-11-19T18:20:42.801Z","latest_release_published_at":"2026-06-13T12:31:16.641Z","latest_release_number":"v4.86.2","last_synced_at":"2026-06-18T17:14:21.643Z","created_at":"2022-04-12T09:14:47.568Z","updated_at":"2026-06-19T01:12:39.053Z","registry_url":"https://pkg.go.dev/github.com/fleetdm/fleet/v4","install_command":"go get github.com/fleetdm/fleet/v4","documentation_url":"https://pkg.go.dev/github.com/fleetdm/fleet/v4#section-documentation","metadata":{},"repo_metadata":{"id":36969677,"uuid":"309820286","full_name":"fleetdm/fleet","owner":"fleetdm","description":"Open device management","archived":false,"fork":false,"pushed_at":"2026-05-21T22:45:22.000Z","size":1731043,"stargazers_count":6385,"open_issues_count":3556,"forks_count":886,"subscribers_count":43,"default_branch":"main","last_synced_at":"2026-05-21T22:58:17.080Z","etag":null,"topics":["binary-authorization","configuration-management","device-management","gitops","ios","linux","macos","mdm","open-source","orchestration","osquery","patching","powershell","scripting","security","software-management","telemetry","vulnerability-management"],"latest_commit_sha":null,"homepage":"https://fleetdm.com","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/fleetdm.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"docs/Contributing/README.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2020-11-03T22:17:18.000Z","updated_at":"2026-05-21T22:33:43.000Z","dependencies_parsed_at":"2023-10-27T21:24:00.709Z","dependency_job_id":"cc91d1b1-1f9f-4b5b-a568-6a3a35d1572a","html_url":"https://github.com/fleetdm/fleet","commit_stats":{"total_commits":14312,"total_committers":286,"mean_commits":50.04195804195804,"dds":0.9240497484628284,"last_synced_commit":"1446d280296c5488b1a40bf047ee589730f3a5c6"},"previous_names":[],"tags_count":577,"template":false,"template_full_name":null,"purl":"pkg:github/fleetdm/fleet","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fleetdm%2Ffleet","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fleetdm%2Ffleet/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fleetdm%2Ffleet/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fleetdm%2Ffleet/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/fleetdm","download_url":"https://codeload.github.com/fleetdm/fleet/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fleetdm%2Ffleet/sbom","scorecard":{"id":112952,"data":{"date":"2025-08-15T15:15:59Z","repo":{"name":"github.com/fleetdm/fleet","commit":"17d1904f678ac5408ccda229d07def47c55d713c"},"scorecard":{"version":"v4.13.1","commit":"49c0eed3a423f00c872b5c3c9f1bbca9e8aae799"},"score":7.5,"checks":[{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#binary-artifacts"}},{"name":"Branch-Protection","score":6,"reason":"branch protection is not maximal on development and all release branches","details":["Info: 'force pushes' disabled on branch 'main'","Info: 'allow deletion' disabled on branch 'main'","Warn: no status checks found to merge onto branch 'main'","Warn: number of required reviewers is only 1 on branch 'main'","Info: codeowner review is required on branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#branch-protection"}},{"name":"CI-Tests","score":9,"reason":"29 out of 30 merged PRs checked by a CI test -- score normalized to 9","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#ci-tests"}},{"name":"CII-Best-Practices","score":5,"reason":"badge detected: passing","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#cii-best-practices"}},{"name":"Code-Review","score":10,"reason":"all changesets reviewed","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#code-review"}},{"name":"Contributors","score":10,"reason":"26 different organizations found -- score normalized to 10","details":["Info: contributors work for HaikuTeam,PuerkitoBio,TheGnarCo,Unixono,balderdashy,cc-ai,cto fleet (@fleetdm),cu-applied-math,diez,expressjs,fleet (@fleetdm),fleet device management,fleetdm,go-elm,harfangapps,hypermegatop,micromdm,moonfire-ventures,mozillahispano,nko4,node-machine,oneclick,osquery,sails (@sailshq),sailshq,throttled"],"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#contributors"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#dangerous-workflow"}},{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: tool 'Dependabot' is used: .github/dependabot.yml:1"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#dependency-update-tool"}},{"name":"Fuzzing","score":10,"reason":"project is fuzzed","details":["Info: GoBuiltInFuzzer integration found: third_party/httpsig-go/fz_test.go:14","Info: GoBuiltInFuzzer integration found: third_party/httpsig-go/fz_test.go:81","Info: GoBuiltInFuzzer integration found: third_party/httpsig-go/fz_test.go:148"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#fuzzing"}},{"name":"License","score":9,"reason":"license file detected","details":["Info: License file found in expected location: LICENSE:1","Warn: Any licence detected not an FSF or OSI recognized license: LICENSE:1"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#license"}},{"name":"Maintained","score":10,"reason":"30 commit(s) out of 30 and 25 issue activity out of 30 found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#maintained"}},{"name":"Packaging","score":10,"reason":"publishing workflow detected","details":["Info: GitHub/GitLab publishing workflow used in run https://api.github.com/repos/fleetdm/fleet/actions/runs/16951801198: .github/workflows/goreleaser-fleet.yaml:22"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#packaging"}},{"name":"Pinned-Dependencies","score":8,"reason":"dependency not pinned by hash detected -- score normalized to 8","details":["Warn: containerImage not pinned by hash: infrastructure/loadtesting/terraform/docker/Dockerfile:2","Warn: containerImage not pinned by hash: orbit/tools/ubuntu/Dockerfile:1: pin your Docker image by updating ubuntu to ubuntu@sha256:7c06e91f61fa88c08cc74f7e1b7c69ae24910d745357e0dfe1d2c0322aaf20f9","Warn: containerImage not pinned by hash: tools/fleetd-linux/amazonlinux-2023/Dockerfile:1: pin your Docker image by updating amazonlinux:2023 to amazonlinux:2023@sha256:d6b42a987b6699493e34cccb263fa5d6bb5a19308e781384c786a384a71bea04","Warn: containerImage not pinned by hash: tools/fleetd-linux/debian-12.8/Dockerfile:1: pin your Docker image by updating debian:12.8 to debian:12.8@sha256:b877a1a3fdf02469440f1768cf69c9771338a875b7add5e80c45b756c92ac20a","Warn: containerImage not pinned by hash: tools/fleetd-linux/fedora-41/Dockerfile:1: pin your Docker image by updating fedora:41 to fedora:41@sha256:db46c636d4c0efee042f54d2155d138f3d9e764c6d24a856eb4f4f36c92279f8","Warn: containerImage not pinned by hash: tools/fleetd-linux/redhat-9.5/Dockerfile:1: pin your Docker image by updating redhat/ubi9:9.5 to redhat/ubi9:9.5@sha256:d07a5e080b8a9b3624d3c9cfbfada9a6baacd8e6d4065118f0e80c71ad518044","Warn: containerImage not pinned by hash: tools/fleetd-linux/ubuntu-24.04/Dockerfile:1: pin your Docker image by updating ubuntu:24.04 to ubuntu:24.04@sha256:7c06e91f61fa88c08cc74f7e1b7c69ae24910d745357e0dfe1d2c0322aaf20f9","Warn: npmCommand not pinned by hash: ee/bulk-operations-dashboard/Dockerfile:11","Warn: npmCommand not pinned by hash: ee/vulnerability-dashboard/Dockerfile:11","Warn: npmCommand not pinned by hash: .github/workflows/build-fleetd-base-msi.yml:50","Warn: npmCommand not pinned by hash: .github/workflows/build-fleetd-base-pkg.yml:64","Warn: npmCommand not pinned by hash: .github/workflows/check-automated-doc.yml:60","Warn: npmCommand not pinned by hash: .github/workflows/deploy-fleet-website.yml:91","Warn: npmCommand not pinned by hash: .github/workflows/deploy-vulnerability-dashboard.yml:67","Warn: npmCommand not pinned by hash: .github/workflows/fleetctl-preview.yml:33","Warn: npmCommand not pinned by hash: .github/workflows/integration.yml:405","Warn: npmCommand not pinned by hash: .github/workflows/integration.yml:211","Warn: npmCommand not pinned by hash: .github/workflows/integration.yml:277","Warn: npmCommand not pinned by hash: .github/workflows/integration.yml:356","Warn: npmCommand not pinned by hash: .github/workflows/release-fleetd-base.yml:111","Warn: npmCommand not pinned by hash: .github/workflows/release-fleetd-base.yml:201","Warn: npmCommand not pinned by hash: .github/workflows/release-fleetd-chrome-beta.yml:48","Warn: npmCommand not pinned by hash: .github/workflows/release-fleetd-chrome.yml:49","Warn: npmCommand not pinned by hash: .github/workflows/test-bulk-operations-dashboard-changes.yml:55","Warn: npmCommand not pinned by hash: .github/workflows/test-fleetd-chrome.yml:56","Warn: npmCommand not pinned by hash: .github/workflows/test-vulnerability-dashboard-changes.yml:53","Warn: npmCommand not pinned by hash: .github/workflows/test-website.yml:65","Warn: npmCommand not pinned by hash: .github/workflows/update-old-tuf-timestamp-signature.yaml:38","Warn: npmCommand not pinned by hash: .github/workflows/update-tuf-timestamp-signature.yaml:28","Info: 229 out of 229 GitHub-owned GitHubAction dependencies pinned","Info: 159 out of 159 third-party GitHubAction dependencies pinned","Info: 16 out of 23 containerImage dependencies pinned","Info: 2 out of 24 npmCommand dependencies pinned","Info: 1 out of 1 goCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#pinned-dependencies"}},{"name":"SAST","score":7,"reason":"SAST tool detected but not run on all commits","details":["Warn: 11 commits out of 30 are checked with a SAST tool","Info: SAST tool detected: CodeQL"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#sast"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#security-policy"}},{"name":"Signed-Releases","score":0,"reason":"0 out of 5 artifacts are signed or have provenance","details":["Warn: release artifact fleet-v4.72.0 does not have provenance: https://api.github.com/repos/fleetdm/fleet/releases/239834018","Warn: release artifact fleet-v4.72.0 not signed: https://api.github.com/repos/fleetdm/fleet/releases/239834018","Warn: release artifact fleet-v4.71.1 does not have provenance: https://api.github.com/repos/fleetdm/fleet/releases/237482300","Warn: release artifact fleet-v4.71.1 not signed: https://api.github.com/repos/fleetdm/fleet/releases/237482300","Warn: release artifact fleet-v4.71.0 does not have provenance: https://api.github.com/repos/fleetdm/fleet/releases/234706680","Warn: release artifact fleet-v4.71.0 not signed: https://api.github.com/repos/fleetdm/fleet/releases/234706680","Warn: release artifact fleet-v4.70.1 does not have provenance: https://api.github.com/repos/fleetdm/fleet/releases/231277568","Warn: release artifact fleet-v4.70.1 not signed: https://api.github.com/repos/fleetdm/fleet/releases/231277568","Warn: release artifact fleet-v4.70.0 does not have provenance: https://api.github.com/repos/fleetdm/fleet/releases/228913463","Warn: release artifact fleet-v4.70.0 not signed: https://api.github.com/repos/fleetdm/fleet/releases/228913463"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#signed-releases"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Info: topLevel 'contents' permission set to 'read': .github/workflows/build-and-check-fleetctl-docker-and-deps.yml:19","Info: topLevel 'contents' permission set to 'read': .github/workflows/build-binaries.yaml:21","Info: topLevel 'contents' permission set to 'read': .github/workflows/build-fleetd-base-msi.yml:37","Info: topLevel 'contents' permission set to 'read': .github/workflows/build-fleetd-base-pkg.yml:36","Info: topLevel 'contents' permission set to 'read': .github/workflows/build-fleetd_tables.yaml:12","Info: topLevel 'contents' permission set to 'read': .github/workflows/build-orbit.yaml:30","Info: topLevel 'contents' permission set to 'read': .github/workflows/check-automated-doc.yml:28","Warn: no topLevel permission defined: .github/workflows/check-ms-protocol-feeds.yml:1: Visit https://app.stepsecurity.io/secureworkflow/fleetdm/fleet/check-ms-protocol-feeds.yml/main?enable=permissions\nTick the 'Restrict permissions for GITHUB_TOKEN'\nUntick other options\nNOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead. (Low effort)","Info: topLevel 'contents' permission set to 'read': .github/workflows/check-tuf-timestamps.yml:23","Info: topLevel 'contents' permission set to 'read': .github/workflows/check-updates-timestamps.yml:23","Info: topLevel 'contents' permission set to 'read': .github/workflows/check-vulnerabilities-in-released-docker-images.yml:20","Info: topLevel 'contents' permission set to 'read': .github/workflows/close-stale-eng-initiated-issues.yml:23","Info: topLevel 'contents' permission set to 'read': .github/workflows/code-sign-windows.yml:38","Info: topLevel 'contents' permission set to 'read': .github/workflows/codeql-analysis.yml:28","Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql-analysis.yml:35","Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql-analysis.yml:36","Info: topLevel 'contents' permission set to 'read': .github/workflows/collect-eng-metrics-test.yml:22","Info: topLevel 'contents' permission set to 'read': .github/workflows/collect-eng-metrics.yml:14","Info: topLevel 'pull-requests' permission set to 'read': .github/workflows/collect-eng-metrics.yml:15","Info: topLevel 'contents' permission set to 'read': .github/workflows/db-upgrade-test.yml:22","Info: topLevel 'contents' permission set to 'read': .github/workflows/dependency-review.yml:13","Info: topLevel 'contents' permission set to 'read': .github/workflows/deploy-fleet-website.yml:24","Info: topLevel 'contents' permission set to 'read': .github/workflows/deploy-vulnerability-dashboard.yml:10","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/deploy-vulnerability-dashboard.yml:15: Verify which permissions are needed and consider whether you can reduce them. (High effort)","Info: topLevel 'contents' permission set to 'read': .github/workflows/docs.yml:23","Info: jobLevel 'contents' permission set to 'read': .github/workflows/docs.yml:28","Info: topLevel 'contents' permission set to 'read': .github/workflows/dogfood-automated-policy-updates.yml:9","Info: topLevel 'contents' permission set to 'read': .github/workflows/dogfood-deploy.yml:44","Info: topLevel 'contents' permission set to 'read': .github/workflows/dogfood-gitops.yml:29","Info: topLevel 'contents' permission set to 'read': .github/workflows/fleet-and-orbit.yml:38","Info: topLevel 'contents' permission set to 'read': .github/workflows/fleetctl-preview-latest.yml:46","Info: topLevel 'contents' permission set to 'read': .github/workflows/fleetctl-preview.yml:18","Info: topLevel 'contents' permission set to 'read': .github/workflows/fleetd-tuf.yml:19","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/fleetd-tuf.yml:24: Verify which permissions are needed and consider whether you can reduce them. (High effort)","Info: topLevel 'contents' permission set to 'read': .github/workflows/generate-desktop-targets.yml:16","Info: topLevel 'contents' permission set to 'read': .github/workflows/generate-nudge-targets.yml:30","Info: topLevel 'contents' permission set to 'read': .github/workflows/golangci-lint.yml:28","Info: jobLevel 'contents' permission set to 'read': .github/workflows/golangci-lint.yml:33","Info: jobLevel 'pull-requests' permission set to 'read': .github/workflows/golangci-lint.yml:34","Info: topLevel 'contents' permission set to 'read': .github/workflows/goreleaser-fleet.yaml:19","Info: topLevel 'contents' permission set to 'read': .github/workflows/goreleaser-orbit.yaml:14","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/goreleaser-orbit.yaml:20: Verify which permissions are needed and consider whether you can reduce them. (High effort)","Warn: jobLevel 'packages' permission set to 'write': .github/workflows/goreleaser-orbit.yaml:23: Verify which permissions are needed and consider whether you can reduce them. (High effort)","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/goreleaser-orbit.yaml:83: Verify which permissions are needed and consider whether you can reduce them. (High effort)","Warn: jobLevel 'packages' permission set to 'write': .github/workflows/goreleaser-orbit.yaml:86: Verify which permissions are needed and consider whether you can reduce them. (High effort)","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/goreleaser-orbit.yaml:128: Verify which permissions are needed and consider whether you can reduce them. (High effort)","Warn: jobLevel 'packages' permission set to 'write': .github/workflows/goreleaser-orbit.yaml:131: Verify which permissions are needed and consider whether you can reduce them. (High effort)","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/goreleaser-orbit.yaml:170: Verify which permissions are needed and consider whether you can reduce them. (High effort)","Warn: jobLevel 'packages' permission set to 'write': .github/workflows/goreleaser-orbit.yaml:173: Verify which permissions are needed and consider whether you can reduce them. (High effort)","Warn: jobLevel 'packages' permission set to 'write': .github/workflows/goreleaser-orbit.yaml:223: Verify which permissions are needed and consider whether you can reduce them. (High effort)","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/goreleaser-orbit.yaml:220: Verify which permissions are needed and consider whether you can reduce them. (High effort)","Info: topLevel 'contents' permission set to 'read': .github/workflows/goreleaser-snapshot-fleet.yaml:33","Info: topLevel 'contents' permission set to 'read': .github/workflows/ingest-maintained-apps.yml:15","Info: topLevel 'pull-requests' permission set to 'read': .github/workflows/ingest-maintained-apps.yml:16","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/ingest-maintained-apps.yml:21: Verify which permissions are needed and consider whether you can reduce them. (High effort)","Info: topLevel 'contents' permission set to 'read': .github/workflows/integration.yml:25","Info: topLevel 'contents' permission set to 'read': .github/workflows/pr-helm.yaml:22","Info: topLevel 'contents' permission set to 'read': .github/workflows/randokiller-go.yml:28","Info: topLevel 'contents' permission set to 'read': .github/workflows/release-fleetctl-docker-deps.yaml:25","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/release-fleetctl-docker-deps.yaml:32: Verify which permissions are needed and consider whether you can reduce them. (High effort)","Info: topLevel 'contents' permission set to 'read': .github/workflows/release-fleetd-base.yml:33","Info: topLevel 'contents' permission set to 'read': .github/workflows/release-fleetd-chrome-beta.yml:27","Info: jobLevel 'contents' permission set to 'read': .github/workflows/release-fleetd-chrome-beta.yml:33","Info: topLevel 'contents' permission set to 'read': .github/workflows/release-fleetd-chrome.yml:28","Info: jobLevel 'contents' permission set to 'read': .github/workflows/release-fleetd-chrome.yml:34","Info: topLevel 'contents' permission set to 'read': .github/workflows/release-helm.yaml:19","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/release-helm.yaml:24: Verify which permissions are needed and consider whether you can reduce them. (High effort)","Info: topLevel 'contents' permission set to 'read': .github/workflows/render-deploy.yml:34","Info: topLevel permissions set to 'read-all': .github/workflows/scorecards-analysis.yml:14","Warn: no topLevel permission defined: .github/workflows/secrets-to-confidential.yml:1: Visit https://app.stepsecurity.io/secureworkflow/fleetdm/fleet/secrets-to-confidential.yml/main?enable=permissions\nTick the 'Restrict permissions for GITHUB_TOKEN'\nUntick other options\nNOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead. (Low effort)","Info: topLevel 'contents' permission set to 'read': .github/workflows/test-bulk-operations-dashboard-changes.yml:15","Info: jobLevel 'contents' permission set to 'read': .github/workflows/test-bulk-operations-dashboard-changes.yml:20","Info: topLevel 'contents' permission set to 'read': .github/workflows/test-db-changes.yml:28","Info: topLevel 'contents' permission set to 'read': .github/workflows/test-fleetd-chrome.yml:24","Warn: no topLevel permission defined: .github/workflows/test-fma-darwin.yml:1: Visit https://app.stepsecurity.io/secureworkflow/fleetdm/fleet/test-fma-darwin.yml/main?enable=permissions\nTick the 'Restrict permissions for GITHUB_TOKEN'\nUntick other options\nNOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead. (Low effort)","Warn: no topLevel permission defined: .github/workflows/test-fma-windows.yml:1: Visit https://app.stepsecurity.io/secureworkflow/fleetdm/fleet/test-fma-windows.yml/main?enable=permissions\nTick the 'Restrict permissions for GITHUB_TOKEN'\nUntick other options\nNOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead. (Low effort)","Info: topLevel 'contents' permission set to 'read': .github/workflows/test-go.yaml:43","Info: topLevel 'contents' permission set to 'read': .github/workflows/test-js.yml:29","Info: topLevel 'contents' permission set to 'read': .github/workflows/test-native-tooling-packaging.yml:38","Info: topLevel 'contents' permission set to 'read': .github/workflows/test-packaging-build-docker-deps.yml:36","Info: topLevel 'contents' permission set to 'read': .github/workflows/test-packaging.yml:51","Info: topLevel 'contents' permission set to 'read': .github/workflows/test-puppet.yml:25","Info: topLevel 'contents' permission set to 'read': .github/workflows/test-vulnerability-dashboard-changes.yml:13","Info: jobLevel 'contents' permission set to 'read': .github/workflows/test-vulnerability-dashboard-changes.yml:18","Info: topLevel 'contents' permission set to 'read': .github/workflows/test-website.yml:24","Info: topLevel 'contents' permission set to 'read': .github/workflows/test-yml-specs.yml:29","Info: topLevel 'contents' permission set to 'read': .github/workflows/tfvalidate.yml:25","Info: topLevel 'contents' permission set to 'read': .github/workflows/trivy-scan.yml:30","Info: jobLevel 'contents' permission set to 'read': .github/workflows/trivy-scan.yml:36","Info: topLevel 'contents' permission set to 'read': .github/workflows/update-certs.yml:19","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/update-certs.yml:24: Verify which permissions are needed and consider whether you can reduce them. (High effort)","Info: topLevel 'contents' permission set to 'read': .github/workflows/update-osquery-versions.yml:9","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/update-osquery-versions.yml:14: Verify which permissions are needed and consider whether you can reduce them. (High effort)","Info: topLevel 'contents' permission set to 'read': .github/workflows/update-tuf-timestamp-signature.yaml:15","Info: topLevel 'contents' permission set to 'read': .github/workflows/validate-maintained-apps-inputs.yml:9","Info: topLevel 'pull-requests' permission set to 'read': .github/workflows/validate-maintained-apps-inputs.yml:10","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/validate-maintained-apps-inputs.yml:15: Verify which permissions are needed and consider whether you can reduce them. (High effort)","Info: topLevel 'contents' permission set to 'read': .github/workflows/verify-fleetd-base.yml:29"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#token-permissions"}},{"name":"Vulnerabilities","score":4,"reason":"6 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-968p-4wvh-cqc8","Warn: Project is vulnerable to: GHSA-jr5f-v2jv-69x6","Warn: Project is vulnerable to: GHSA-pxg6-pf52-xh8x","Warn: Project is vulnerable to: GHSA-67mh-4wv8-2f99","Warn: Project is vulnerable to: GHSA-9wv6-86v2-598j","Warn: Project is vulnerable to: GHSA-4vvj-4cpr-p986"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-15T15:38:09.006Z","repository_id":36969677,"created_at":"2025-08-15T15:38:09.006Z","updated_at":"2025-08-15T15:38:09.006Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33378698,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-22T21:56:13.512Z","status":"ssl_error","status_checked_at":"2026-05-22T21:56:10.769Z","response_time":265,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"},"tags":[]},"repo_metadata_updated_at":"2026-05-23T01:14:02.299Z","dependent_packages_count":1,"downloads":null,"downloads_period":null,"dependent_repos_count":6,"rankings":{"downloads":null,"dependent_repos_count":2.06584120790669,"dependent_packages_count":9.561217324694391,"stargazers_count":1.84106306094423,"forks_count":1.8689519386710873,"docker_downloads_count":null,"average":3.8342683830541},"purl":"pkg:golang/github.com/fleetdm/fleet/v4","advisories":[{"uuid":"GSA_kwCzR0hTQS14NHFyLXF3Nmgtd3Z4cc4ABYn9","url":"https://github.com/advisories/GHSA-x4qr-qw6h-wvxq","title":"Fleet: Observer-level enrollment secret extraction via ORDER BY oracle on Apple MDM commands endpoint","description":"### Summary\n\nA vulnerability in Fleet's Apple MDM commands listing endpoint allowed authenticated users with the lowest-privilege Observer role to extract sensitive values from joined database tables — including host enrollment secrets and Apple Push Notification Service (APNS) tokens — through a cursor-based binary search oracle. The endpoint accepted a user-supplied `order_key` parameter that was not validated against a column allowlist.\n\n### Impact\n\nThe `GET /api/v1/fleet/mdm/apple/commands` endpoint constructs its query using a deprecated helper that did not restrict which columns could appear in the `ORDER BY` clause. The underlying query joins the `hosts` and `nano_enrollments` tables, so any column on those tables could be supplied as `order_key`. An attacker with Observer credentials could then use the cursor-based pagination parameter (`after`) to binary-search the value of the chosen column one character at a time. The targeted values never appeared in the response body, but the presence or absence of results revealed each character.\n\nWith extracted `node_key` or `orbit_node_key` values, an attacker could impersonate enrolled hosts to Fleet's osquery and Orbit endpoints, submit fabricated host data, and retrieve pending scripts and commands. The APNS values are exploitable only by a party that also possesses the organization's APNS certificate.\n\nExploitation required authenticated Observer access and a Fleet deployment with Apple MDM enabled and at least one queued MDM command. Instances without Apple MDM configured were not affected.\n\n### Workarounds\n\nIf an immediate upgrade is not possible, administrators should:\n\n- Restrict the Observer role to fully trusted users until the patch is applied\n- Rotate `node_key` and `orbit_node_key` for any host suspected of exposure by re-enrolling the affected hosts\n\n### For more information\n\nIf there are any questions or comments about this advisory:\n\nEmail Fleet at [security@fleetdm.com](mailto:security@fleetdm.com)\nJoin #fleet in [osquery Slack](https://join.slack.com/t/osquery/shared_invite/zt-h29zm0gk-s2DBtGUTW4CFel0f0IjTEw)\n\n### Credits\n\nFleet thanks the Security Team at Palantir Technologies for responsibly reporting this issue.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2026-06-12T21:00:48.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":6.5,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","references":["https://github.com/fleetdm/fleet/security/advisories/GHSA-x4qr-qw6h-wvxq","https://github.com/advisories/GHSA-x4qr-qw6h-wvxq"],"source_kind":"github","identifiers":["GHSA-x4qr-qw6h-wvxq","CVE-2026-46371"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-06-12T22:00:08.072Z","updated_at":"2026-06-14T01:00:09.849Z","epss_percentage":0.00019,"epss_percentile":0.05428,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14NHFyLXF3Nmgtd3Z4cc4ABYn9","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS14NHFyLXF3Nmgtd3Z4cc4ABYn9","packages":[{"ecosystem":"go","package_name":"github.com/fleetdm/fleet/v4","versions":[{"first_patched_version":"4.84.2","vulnerable_version_range":"\u003c= 4.84.1"}],"purl":"pkg:go/github.com%2Ffleetdm%2Ffleet%2Fv4"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14NHFyLXF3Nmgtd3Z4cc4ABYn9/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS12eG03LTl4OHYtOGdtNM4ABYn8","url":"https://github.com/advisories/GHSA-vxm7-9x8v-8gm4","title":"Fleet has observer-level enrollment secret extraction via ORDER BY oracle on labels host-listing endpoint","description":"### Summary\n\nA vulnerability in Fleet's labels host-listing endpoint allowed authenticated users with the lowest-privilege Observer role to extract host enrollment secrets (`node_key`, `orbit_node_key`) through a cursor-based binary search oracle. The endpoint accepted a user-supplied `order_key` parameter that was not validated against a column allowlist, permitting sort order to be driven by sensitive columns in a joined table.\n\n### Impact\n\nThe `GET /api/v1/fleet/labels/{id}/hosts` endpoint constructs its query using a deprecated helper that did not restrict which columns could appear in the `ORDER BY` clause. An attacker with Global Observer or Team Observer credentials could supply a sensitive column name (for example, `h.node_key`) as `order_key` and combine it with the cursor-based `after` parameter to binary-search the values of those columns one character at a time. The targeted values never appeared in the response body, but the presence or absence of results revealed each character.\n\nThe `node_key` and `orbit_node_key` values are the long-lived shared secrets used by osquery and Orbit agents to authenticate to the Fleet server. An attacker who extracted these keys could:\n\n- Impersonate enrolled hosts to Fleet's osquery and Orbit endpoints\n- Submit fabricated query results and host inventory data\n- Retrieve pending scripts and MDM commands queued for the host\n- Poison compliance and policy results across the Fleet deployment\n\nExploitation required authenticated Observer access. Fleet deployments that restrict Observer roles to fully trusted users were at lower practical risk, but the secrets exposed are high-value and long-lived.\n\n### Patches\n\n- v4.85.0\n\n### Workarounds\n\nIf an immediate upgrade is not possible, administrators should:\n\n- Restrict the Observer role to fully trusted users until the patch is applied\n- Rotate `node_key` and `orbit_node_key` for any host suspected of exposure by re-enrolling the affected hosts\n\n### For more information\n\nIf there are any questions or comments about this advisory:\n\nEmail Fleet at [security@fleetdm.com](mailto:security@fleetdm.com)\nJoin #fleet in [osquery Slack](https://join.slack.com/t/osquery/shared_invite/zt-h29zm0gk-s2DBtGUTW4CFel0f0IjTEw)\n\n### Credits\n\nFleet thanks the Security Team at Palantir Technologies for responsibly reporting this issue.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2026-06-12T21:00:42.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":6.5,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","references":["https://github.com/fleetdm/fleet/security/advisories/GHSA-vxm7-9x8v-8gm4","https://github.com/advisories/GHSA-vxm7-9x8v-8gm4"],"source_kind":"github","identifiers":["GHSA-vxm7-9x8v-8gm4","CVE-2026-46370"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-06-12T22:00:08.072Z","updated_at":"2026-06-14T01:00:09.849Z","epss_percentage":0.00032,"epss_percentile":0.09955,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12eG03LTl4OHYtOGdtNM4ABYn8","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS12eG03LTl4OHYtOGdtNM4ABYn8","packages":[{"ecosystem":"go","package_name":"github.com/fleetdm/fleet/v4","versions":[{"first_patched_version":"4.84.2","vulnerable_version_range":"\u003c= 4.84.1"}],"purl":"pkg:go/github.com%2Ffleetdm%2Ffleet%2Fv4"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12eG03LTl4OHYtOGdtNM4ABYn8/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS1teG1wLXdyM3ctcnZxeM4ABW2r","url":"https://github.com/advisories/GHSA-mxmp-wr3w-rvqx","title":"Fleet: IP spoofing allows bypassing API rate limiting","description":"### Summary\nA vulnerability in Fleet's IP extraction logic allows unauthenticated attackers to bypass API rate limiting by spoofing client IP headers. This may allow brute-force login attempts or other abuse against Fleet instances exposed to the public internet.\n\n### Impact\nFleet extracted client IP addresses from request headers (`True-Client-IP`, `X-Real-IP`, `X-Forwarded-For`) without validating that those headers originate from a trusted proxy. The extracted IP is used as the key for rate limiting and IP ban decisions.\n\nAs a result, an attacker could rotate the value of these headers on each request, causing Fleet to treat each attempt as coming from a different client. This effectively bypasses per-IP rate limits on sensitive endpoints such as the login API, enabling unrestricted brute-force or credential stuffing attacks.\n\nThis issue primarily affects Fleet instances that are directly exposed to the internet without a reverse proxy that overwrites forwarded-IP headers. Instances behind a properly configured proxy or WAF are less affected.\n\n### Workarounds\nIf an immediate upgrade is not possible, administrators should ensure Fleet is deployed behind a reverse proxy (e.g., nginx, Cloudflare, AWS ALB) that overwrites `X-Forwarded-For` with the true client IP, and apply rate limiting at the proxy or WAF layer.\n\n### For more information\nIf you have any questions or comments about this advisory:\nEmail us at [security@fleetdm.com](mailto:security@fleetdm.com)\nJoin #fleet in [osquery Slack](https://join.slack.com/t/osquery/shared_invite/zt-h29zm0gk-s2DBtGUTW4CFel0f0IjTEw)\n\n### Credits\nWe thank @fuzzztf for responsibly reporting this issue.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2026-05-14T13:18:33.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":6.9,"cvss_vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N","references":["https://github.com/fleetdm/fleet/security/advisories/GHSA-mxmp-wr3w-rvqx","https://github.com/fleetdm/fleet/releases/tag/fleet-v4.80.1","https://nvd.nist.gov/vuln/detail/CVE-2026-46356","https://github.com/advisories/GHSA-mxmp-wr3w-rvqx"],"source_kind":"github","identifiers":["GHSA-mxmp-wr3w-rvqx","CVE-2026-46356"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-05-14T14:00:17.861Z","updated_at":"2026-06-14T01:00:35.255Z","epss_percentage":0.00083,"epss_percentile":0.24069,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1teG1wLXdyM3ctcnZxeM4ABW2r","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS1teG1wLXdyM3ctcnZxeM4ABW2r","packages":[{"ecosystem":"go","package_name":"github.com/fleetdm/fleet/v4","versions":[{"first_patched_version":"4.80.1","vulnerable_version_range":"\u003c 4.80.1"}],"purl":"pkg:go/github.com%2Ffleetdm%2Ffleet%2Fv4"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1teG1wLXdyM3ctcnZxeM4ABW2r/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS05dmNyLWc1MzctM3c1ds4ABW2o","url":"https://github.com/advisories/GHSA-9vcr-g537-3w5v","title":"Fleet vulnerable to OS command injection in software packages","description":"### Summary\n\nA vulnerability in Fleet's software installer pipeline could allow a crafted software package to execute arbitrary commands as root (macOS/Linux) or SYSTEM (Windows) on managed endpoints when an uninstall is triggered.\n\n### Impact\n\nWhen a software package (.pkg, .deb, .rpm, .exe, or .msi) is uploaded to Fleet, metadata is extracted from the package binary and used to generate uninstall scripts. In affected versions, this metadata is not properly sanitized before being included in the generated scripts. A specially crafted package containing malicious values in its metadata fields could result in unintended command execution when the uninstall script runs on managed endpoints.\n\n### Workarounds\n\nIf an immediate upgrade is not possible, administrators should avoid uploading software packages obtained from untrusted or unverified sources. Additionally, administrators can manually inspect and edit auto-generated uninstall scripts before deployment.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\nEmail us at [[security@fleetdm.com](mailto:security@fleetdm.com)](mailto:security@fleetdm.com)\n\nJoin #fleet in [[osquery Slack](https://join.slack.com/t/osquery/shared_invite/zt-h29zm0gk-s2DBtGUTW4CFel0f0IjTEw)](https://join.slack.com/t/osquery/shared_invite/zt-h29zm0gk-s2DBtGUTW4CFel0f0IjTEw)\n\n### Credits\n\nWe thank @secfox-ai for responsibly reporting this issue.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2026-05-14T13:17:36.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":6.0,"cvss_vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N","references":["https://github.com/fleetdm/fleet/security/advisories/GHSA-9vcr-g537-3w5v","https://github.com/fleetdm/fleet/releases/tag/fleet-v4.81.1","https://nvd.nist.gov/vuln/detail/CVE-2026-26191","https://github.com/advisories/GHSA-9vcr-g537-3w5v"],"source_kind":"github","identifiers":["GHSA-9vcr-g537-3w5v","CVE-2026-26191"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-05-14T14:00:17.862Z","updated_at":"2026-06-14T01:00:36.907Z","epss_percentage":0.00034,"epss_percentile":0.10167,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05dmNyLWc1MzctM3c1ds4ABW2o","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS05dmNyLWc1MzctM3c1ds4ABW2o","packages":[{"ecosystem":"go","package_name":"github.com/fleetdm/fleet/v4","versions":[{"first_patched_version":"4.81.1","vulnerable_version_range":"\u003c 4.81.1"}],"purl":"pkg:go/github.com%2Ffleetdm%2Ffleet%2Fv4"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05dmNyLWc1MzctM3c1ds4ABW2o/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS14NjdwLTltMnItZnhxds4ABW2n","url":"https://github.com/advisories/GHSA-x67p-9m2r-fxqv","title":"Fleet server may terminate unexpectedly when handling certain gRPC requests","description":"### Summary\n\nFleet contained a denial-of-service (DoS) issue in the gRPC Launcher `PublishLogs` endpoint. In affected versions, certain unexpected input values were not handled gracefully, which could cause the Fleet server process to terminate while processing an authenticated request from an enrolled Launcher host.\n\n### Impact\n\nAn authenticated attacker with access to any enrolled Launcher node key could cause an immediate and complete denial of service by sending a single gRPC request to the `PublishLogs` endpoint.\n\nThis vulnerability impacts **availability only**. There is:\n\n- No exposure of sensitive data\n- No authentication bypass\n- No privilege escalation\n- No integrity impact\n\n### Workarounds\n\nIf upgrading immediately is not possible, the following mitigations can reduce exposure:\n\n- Restrict network access to the Fleet gRPC endpoint where feasible (for example, limiting inbound access to known host IP ranges).\n- Deploy Fleet behind infrastructure that terminates or filters gRPC traffic if Launcher log ingestion is not required.\n- Monitor for repeated Fleet process crashes or unexpected restarts indicating potential exploitation.\n\n### For More Information\n\nIf you have any questions or concerns about this advisory, please contact us at:\n\nEmail us at [security@fleetdm.com](mailto:security@fleetdm.com)\n\n### Credits\n\nWe thank @fuzzztf for responsibly reporting this issue.","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2026-05-14T13:17:18.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":8.7,"cvss_vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N","references":["https://github.com/fleetdm/fleet/security/advisories/GHSA-x67p-9m2r-fxqv","https://github.com/fleetdm/fleet/releases/tag/fleet-v4.81.0","https://nvd.nist.gov/vuln/detail/CVE-2026-26062","https://github.com/advisories/GHSA-x67p-9m2r-fxqv"],"source_kind":"github","identifiers":["GHSA-x67p-9m2r-fxqv","CVE-2026-26062"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-05-14T14:00:17.862Z","updated_at":"2026-06-14T01:00:36.908Z","epss_percentage":0.00115,"epss_percentile":0.29798,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14NjdwLTltMnItZnhxds4ABW2n","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS14NjdwLTltMnItZnhxds4ABW2n","packages":[{"ecosystem":"go","package_name":"github.com/fleetdm/fleet/v4","versions":[{"first_patched_version":"4.81.0","vulnerable_version_range":"\u003c 4.81.0"}],"purl":"pkg:go/github.com%2Ffleetdm%2Ffleet%2Fv4"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14NjdwLTltMnItZnhxds4ABW2n/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS1mZmc5LWo3MmYtajZ4bc4ABW2m","url":"https://github.com/advisories/GHSA-ffg9-j72f-j6xm","title":"Fleet Windows MDM Azure AD JWT Authentication Bypass","description":"### Summary\n\nA vulnerability in Fleet's Windows MDM enrollment flow allows authentication tokens from any Azure AD tenant to be accepted. Because Fleet validates JWT signatures using Microsoft's multi-tenant JWKS endpoint but does not enforce the `aud` (audience) or `iss` (issuer) claims, any Microsoft-signed Azure AD access token containing the expected scopes can be used to authenticate to Fleet's MDM endpoints.\n\n### Impact\n\nIf Windows MDM is enabled, an attacker with access to any Azure AD tenant can obtain a valid Microsoft-signed token and use it to enroll unauthorized devices and interact with Fleet's MDM management APIs. During device management, Fleet may expose sensitive enrollment secrets embedded in MDM command payloads, enabling further unauthorized access.\n\n### Workarounds\n\nIf an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\nEmail us at [security@fleetdm.com](mailto:security@fleetdm.com)\nJoin #fleet in [osquery Slack](https://join.slack.com/t/osquery/shared_invite/zt-h29zm0gk-s2DBtGUTW4CFel0f0IjTEw)\n\n### Credits\n\nWe thank @zaddy6 for responsibly reporting this issue.","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2026-05-14T13:13:56.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":8.2,"cvss_vector":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N","references":["https://github.com/fleetdm/fleet/security/advisories/GHSA-ffg9-j72f-j6xm","https://github.com/fleetdm/fleet/releases/tag/fleet-v4.82.0","https://nvd.nist.gov/vuln/detail/CVE-2026-24899","https://github.com/advisories/GHSA-ffg9-j72f-j6xm"],"source_kind":"github","identifiers":["GHSA-ffg9-j72f-j6xm","CVE-2026-24899"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-05-14T14:00:17.862Z","updated_at":"2026-06-14T01:00:36.908Z","epss_percentage":0.00022,"epss_percentile":0.06509,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mZmc5LWo3MmYtajZ4bc4ABW2m","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS1mZmc5LWo3MmYtajZ4bc4ABW2m","packages":[{"ecosystem":"go","package_name":"github.com/fleetdm/fleet/v4","versions":[{"first_patched_version":"4.82.0","vulnerable_version_range":"\u003c 4.82.0"}],"purl":"pkg:go/github.com%2Ffleetdm%2Ffleet%2Fv4"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mZmc5LWo3MmYtajZ4bc4ABW2m/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS1qOGg4LTc1aDMtamc1M84ABW2l","url":"https://github.com/advisories/GHSA-j8h8-75h3-jg53","title":"Fleet has a rate limiting bypass via untrusted client IP headers","description":"### Impact\n\nFleet trusted client-supplied IP address headers when determining the source IP for incoming requests. This allowed authenticated and unauthenticated clients to spoof their apparent IP address and bypass per-IP rate limiting controls.\n\nFleet determines a client’s public IP address using HTTP headers such as:\n- X-Forwarded-For\n- X-Real-IP\n- True-Client-IP\n\nThese headers were trusted without validation. An attacker could supply arbitrary values in these headers, causing Fleet to treat each request as originating from a different IP address.\n\nThis could allow an attacker to bypass per-IP rate limits and increase the effectiveness of brute-force or password-spraying attempts against authentication endpoints.\n\nThis issue does not allow authentication bypass, privilege escalation, data exposure, or remote code execution on its own.\n\n### Workarounds\n\nRun Fleet behind a trusted reverse proxy or load balancer that overwrites client IP headers.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\nEmail us at [security@fleetdm.com](mailto:security@fleetdm.com)\nJoin #fleet in [osquery Slack](https://join.slack.com/t/osquery/shared_invite/zt-h29zm0gk-s2DBtGUTW4CFel0f0IjTEw)\n\n### Credits\n\nWe thank @fuzzztf for responsibly reporting this issue.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2026-05-14T13:13:39.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":6.9,"cvss_vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N","references":["https://github.com/fleetdm/fleet/security/advisories/GHSA-j8h8-75h3-jg53","https://github.com/fleetdm/fleet/releases/tag/fleet-v4.80.1","https://nvd.nist.gov/vuln/detail/CVE-2026-24000","https://github.com/advisories/GHSA-j8h8-75h3-jg53"],"source_kind":"github","identifiers":["GHSA-j8h8-75h3-jg53","CVE-2026-24000"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-05-14T14:00:17.862Z","updated_at":"2026-06-14T01:00:36.909Z","epss_percentage":0.00126,"epss_percentile":0.31582,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qOGg4LTc1aDMtamc1M84ABW2l","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS1qOGg4LTc1aDMtamc1M84ABW2l","packages":[{"ecosystem":"go","package_name":"github.com/fleetdm/fleet/v4","versions":[{"first_patched_version":"4.80.1","vulnerable_version_range":"\u003c 4.80.1"}],"purl":"pkg:go/github.com%2Ffleetdm%2Ffleet%2Fv4"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qOGg4LTc1aDMtamc1M84ABW2l/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS0ycmM0LTdqYzYtcWZmaM4ABW2k","url":"https://github.com/advisories/GHSA-2rc4-7jc6-qffh","title":"Fleet has a Windows MDM management endpoint authentication bypass","description":"### Summary\n\nA vulnerability in Fleet’s Windows MDM management endpoint could allow requests to be processed without proper client certificate validation. In certain circumstances, this could allow an attacker to impersonate an enrolled Windows device and retrieve sensitive configuration data.\n\n### Impact\n\nFleet’s Windows MDM management endpoint relies on mutual TLS (mTLS) client certificates to authenticate enrolled devices. In affected versions, requests that did not present a client certificate could be incorrectly treated as trusted.\n\nAs a result, an attacker with prior knowledge of a valid enrolled device identifier could potentially impersonate that device and receive configuration payloads intended for it. These payloads may contain sensitive information such as Wi-Fi or VPN configuration data, certificates, or other secrets delivered through MDM profiles.\n\nThis issue does not allow enrollment of new devices, administrative access to Fleet, or compromise of the Fleet control plane. Impact is limited to the targeted Windows device.\n\n### Workarounds\n\nIf an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\nEmail us at [security@fleetdm.com](mailto:security@fleetdm.com)\nJoin #fleet in [osquery Slack](https://join.slack.com/t/osquery/shared_invite/zt-h29zm0gk-s2DBtGUTW4CFel0f0IjTEw)\n\n### Credits\n\nWe thank @secfox-ai for responsibly reporting this issue.","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2026-05-14T13:13:11.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":8.2,"cvss_vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N","references":["https://github.com/fleetdm/fleet/security/advisories/GHSA-2rc4-7jc6-qffh","https://github.com/fleetdm/fleet/releases/tag/fleet-v4.81.0","https://nvd.nist.gov/vuln/detail/CVE-2026-23998","https://github.com/fleetdm/fleet/commit/3ff8119ab8f794806a4cc82e21f760c123d92966","https://github.com/advisories/GHSA-2rc4-7jc6-qffh"],"source_kind":"github","identifiers":["GHSA-2rc4-7jc6-qffh","CVE-2026-23998"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-05-14T14:00:17.862Z","updated_at":"2026-06-14T01:00:36.909Z","epss_percentage":0.00011,"epss_percentile":0.01474,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0ycmM0LTdqYzYtcWZmaM4ABW2k","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS0ycmM0LTdqYzYtcWZmaM4ABW2k","packages":[{"ecosystem":"go","package_name":"github.com/fleetdm/fleet/v4","versions":[{"first_patched_version":"4.81.0","vulnerable_version_range":"\u003c 4.81.0"}],"purl":"pkg:go/github.com%2Ffleetdm%2Ffleet%2Fv4"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0ycmM0LTdqYzYtcWZmaM4ABW2k/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS1ycGh2LWg2NzQtNWhwMs4ABU8T","url":"https://github.com/advisories/GHSA-rphv-h674-5hp2","title":"Fleet Affected by Local Privilege Escalation via Tcl Command Injection in Orbit","description":"## Summary\n\nThe Orbit agent's FileVault disk encryption key rotation flow on collects a local user's password via a GUI dialog and interpolates it directly into a Tcl/expect script executed via `exec.Command(\"expect\", \"-c\", script)`. Because the password is inserted into Tcl brace-quoted `send {%s}`, a password containing `}` terminates the literal and injects arbitrary Tcl commands. Since Orbit runs as root, this allows a local unprivileged user to escalate to root privileges.\n\n## CWE\n\n- **CWE-78**: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')\n- **CWE-94**: Improper Control of Generation of Code ('Code Injection')\n\n## Impact\n\n- Local privilege escalation to root: Any unprivileged local user on a managed endpoint can execute arbitrary commands as root\n\n## Credit\n\nThis vulnerability was discovered and reported by [bugbunny.ai](https://bugbunny.ai).","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2026-04-08T18:03:52.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":7.8,"cvss_vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","references":["https://github.com/fleetdm/fleet/security/advisories/GHSA-rphv-h674-5hp2","https://github.com/advisories/GHSA-rphv-h674-5hp2"],"source_kind":"github","identifiers":["GHSA-rphv-h674-5hp2","CVE-2026-27806"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-04-08T19:00:08.613Z","updated_at":"2026-06-14T01:01:14.273Z","epss_percentage":0.00007,"epss_percentile":0.00529,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1ycGh2LWg2NzQtNWhwMs4ABU8T","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS1ycGh2LWg2NzQtNWhwMs4ABU8T","packages":[{"ecosystem":"go","package_name":"github.com/fleetdm/fleet/v4","versions":[{"first_patched_version":"4.81.1","vulnerable_version_range":"\u003c 4.81.1"}],"purl":"pkg:go/github.com%2Ffleetdm%2Ffleet%2Fv4"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1ycGh2LWg2NzQtNWhwMs4ABU8T/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS00ZjlyLXg1ODgtcHAyaM4ABUeM","url":"https://github.com/advisories/GHSA-4f9r-x588-pp2h","title":"Fleet's user account creation via invite does not enforce invited email address","description":"### Summary\n\nFleet contained an issue in the user invitation flow where the email address provided during invite acceptance was not validated against the email address associated with the invite. An attacker who obtained a valid invite token could create an account under an arbitrary email address while inheriting the role granted by the invite, including global admin.\n\n### Impact\n\nIf an attacker gains access to a valid invite token, they can create a Fleet user account with an email address of their choosing while inheriting the invite’s assigned role and team memberships.\n\nThis issue:\n\n- Requires possession of a valid invite token\n- Does not bypass authentication controls beyond invite-based account creation\n- Does not expose data without successful account creation\n\n### Workarounds\n\nIf upgrading immediately is not possible:\n\n- Treat invite links as sensitive credentials and avoid sharing them in public or semi-public channels (e.g., Slack, Teams).\n- Revoke and reissue invites if there is any concern that an invite link may have been exposed.\n- Prefer issuing invites with the minimum required privileges and elevating roles after account creation when appropriate.\n\n### For more information\n\nIf there are any questions or comments about this advisory:\n\nSend an email to [security@fleetdm.com](mailto:security@fleetdm.com)\n\n### Credits\n\nFleet thanks @fuzzztf for responsibly reporting this issue.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2026-03-30T19:29:13.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":4.9,"cvss_vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U","references":["https://github.com/fleetdm/fleet/security/advisories/GHSA-4f9r-x588-pp2h","https://nvd.nist.gov/vuln/detail/CVE-2026-34389","https://github.com/advisories/GHSA-4f9r-x588-pp2h"],"source_kind":"github","identifiers":["GHSA-4f9r-x588-pp2h","CVE-2026-34389"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-03-30T20:00:10.965Z","updated_at":"2026-06-14T01:01:25.343Z","epss_percentage":0.00042,"epss_percentile":0.12906,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00ZjlyLXg1ODgtcHAyaM4ABUeM","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS00ZjlyLXg1ODgtcHAyaM4ABUeM","packages":[{"ecosystem":"go","package_name":"github.com/fleetdm/fleet/v4","versions":[{"first_patched_version":"4.81.0","vulnerable_version_range":"\u003c 4.81.0"}],"purl":"pkg:go/github.com%2Ffleetdm%2Ffleet%2Fv4"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00ZjlyLXg1ODgtcHAyaM4ABUeM/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS13MjU0LTRocDUtN2N2ds4ABUeL","url":"https://github.com/advisories/GHSA-w254-4hp5-7cvv","title":"Fleet vulnerable to Denial of Service via unhandled gRPC log type in launcher endpoint","description":"### Summary\n\nA Denial of Service vulnerability in Fleet's gRPC Launcher endpoint allows an authenticated host to crash the entire Fleet server process by sending an unexpected log type value. The server terminates immediately, disrupting all connected hosts, MDM enrollments, and API consumers.\n\n### Impact\n\nAn attacker with access to a valid Launcher node key can send a specially crafted gRPC request to the Fleet server that triggers an unrecoverable server crash. The gRPC server lacks appropriate error recovery handling, meaning the entire Fleet process terminates rather than gracefully rejecting the malformed input.\n\nBecause the crash is instant and repeatable, an attacker could script repeated requests to prevent the server from recovering, resulting in a persistent denial of service until a patched version is deployed.\n\n### Workarounds\n\nThere is no workaround for this issue other than upgrading to a patched version.\n\n### For more information\n\nIf there are any questions or comments about this advisory:\n\nSend an email to [security@fleetdm.com](mailto:security@fleetdm.com)\n\nJoin #fleet in [osquery Slack](https://join.slack.com/t/osquery/shared_invite/zt-h29zm0gk-s2DBtGUTW4CFel0f0IjTEw)\n\n### Credits\n\nFleet thanks @fuzzztf for responsibly reporting this issue.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2026-03-30T19:22:39.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":6.6,"cvss_vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U","references":["https://github.com/fleetdm/fleet/security/advisories/GHSA-w254-4hp5-7cvv","https://nvd.nist.gov/vuln/detail/CVE-2026-34388","https://github.com/advisories/GHSA-w254-4hp5-7cvv"],"source_kind":"github","identifiers":["GHSA-w254-4hp5-7cvv","CVE-2026-34388"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-03-30T20:00:10.965Z","updated_at":"2026-06-14T01:01:25.343Z","epss_percentage":0.00063,"epss_percentile":0.19793,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13MjU0LTRocDUtN2N2ds4ABUeL","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS13MjU0LTRocDUtN2N2ds4ABUeL","packages":[{"ecosystem":"go","package_name":"github.com/fleetdm/fleet/v4","versions":[{"first_patched_version":"4.81.0","vulnerable_version_range":"\u003c 4.81.0"}],"purl":"pkg:go/github.com%2Ffleetdm%2Ffleet%2Fv4"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13MjU0LTRocDUtN2N2ds4ABUeL/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS05cDIzLXAybTQtMnI0bc4ABUeK","url":"https://github.com/advisories/GHSA-9p23-p2m4-2r4m","title":"Fleet vulnerable to SQL Injection in MDM bootstrap package by authenticated team or global admin","description":"### Summary\n\nA SQL Injection vulnerability in Fleet's MDM bootstrap package configuration allows an authenticated user with Team Admin or Global Admin privileges to modify arbitrary team configurations, exfiltrate sensitive data from the Fleet database, and inject arbitrary content into team configs via direct API calls.\n\n### Impact\n\nAn authenticated user with Team Admin or Global Admin role can exploit a flaw in how user-supplied input is handled during MDM bootstrap package configuration. Insufficient server-side input validation allows crafted input to manipulate database queries in unintended ways.\n\nSuccessful exploitation could enable cross-team data corruption, exfiltration of sensitive information such as password hashes and API tokens, and potential privilege escalation. Exploitation requires authentication with team or global admin privileges and MDM to be enabled.\n\nThis issue does not affect instances where Apple MDM is disabled.\n\n### Workarounds\n\nIf an immediate upgrade is not possible, affected Fleet users should temporarily disable Apple MDM or limit admin roles.\n\n### For more information\n\nIf there are any questions or comments about this advisory:\n\nSend an email to [security@fleetdm.com](mailto:security@fleetdm.com)\n\nJoin #fleet in [osquery Slack](https://join.slack.com/t/osquery/shared_invite/zt-h29zm0gk-s2DBtGUTW4CFel0f0IjTEw)\n\n### Credits\n\nFleet thanks the Secfox Research Team (@secfox-ai) for responsibly reporting this issue.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2026-03-30T19:18:29.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":6.3,"cvss_vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U","references":["https://github.com/fleetdm/fleet/security/advisories/GHSA-9p23-p2m4-2r4m","https://nvd.nist.gov/vuln/detail/CVE-2026-34386","https://github.com/advisories/GHSA-9p23-p2m4-2r4m"],"source_kind":"github","identifiers":["GHSA-9p23-p2m4-2r4m","CVE-2026-34386"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-03-30T20:00:10.965Z","updated_at":"2026-06-14T01:01:25.344Z","epss_percentage":0.00016,"epss_percentile":0.03684,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05cDIzLXAybTQtMnI0bc4ABUeK","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS05cDIzLXAybTQtMnI0bc4ABUeK","packages":[{"ecosystem":"go","package_name":"github.com/fleetdm/fleet/v4","versions":[{"first_patched_version":"4.81.0","vulnerable_version_range":"\u003c 4.81.0"}],"purl":"pkg:go/github.com%2Ffleetdm%2Ffleet%2Fv4"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05cDIzLXAybTQtMnI0bc4ABUeK/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS12ODk1LTgzM3ItOGM0Nc4ABUeJ","url":"https://github.com/advisories/GHSA-v895-833r-8c45","title":"Fleet's Apple MDM profile delivery has second-order SQL Injection that can compromise the database","description":"### Summary\n\nA critical second-order SQL Injection vulnerability in Fleet's Apple MDM profile delivery pipeline could allow an attacker with a valid MDM enrollment certificate to exfiltrate or modify the contents of the Fleet database, including user credentials, API tokens, and device enrollment secrets.\n\n### Impact\n\nIf Apple MDM is enabled, an attacker controlling an enrolled device can send a malicious UDID during the MDM Authenticate check-in. The UDID is stored safely via parameterized queries, but is later interpolated directly into SQL when the async worker processes the job. This enables blind, boolean-based, and UNION-based SQL injection across four simultaneous subqueries.\n\nBecause Fleet's database driver is configured with `multiStatements=true`, the attacker can also execute stacked queries, enabling arbitrary writes to the database. This includes inserting new admin accounts, modifying configuration, deploying malicious profiles or scripts to managed devices, and deleting data.\n\nExploitation requires a valid SCEP-issued enrollment certificate (mTLS), but any enrolled device, including attacker-controlled devices, can exploit this vulnerability.\n\nThis issue does not affect instances where Apple MDM is disabled.\n\n### Workarounds\n\nIf an immediate upgrade is not possible, affected Fleet users should temporarily disable Apple MDM.\n\n### For more information\n\nIf there are any questions or comments about this advisory:\n\nSend an email to [security@fleetdm.com](mailto:security@fleetdm.com)\n\nJoin #fleet in [[osquery Slack](https://join.slack.com/t/osquery/shared_invite/zt-h29zm0gk-s2DBtGUTW4CFel0f0IjTEw)](https://join.slack.com/t/osquery/shared_invite/zt-h29zm0gk-s2DBtGUTW4CFel0f0IjTEw)\n\n### Credits\n\nFleet thanks@secfox-ai for responsibly reporting this issue.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2026-03-30T19:17:11.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":6.2,"cvss_vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U","references":["https://github.com/fleetdm/fleet/security/advisories/GHSA-v895-833r-8c45","https://nvd.nist.gov/vuln/detail/CVE-2026-34385","https://github.com/advisories/GHSA-v895-833r-8c45"],"source_kind":"github","identifiers":["GHSA-v895-833r-8c45","CVE-2026-34385"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-03-30T20:00:10.965Z","updated_at":"2026-06-14T01:01:25.344Z","epss_percentage":0.00009,"epss_percentile":0.00981,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12ODk1LTgzM3ItOGM0Nc4ABUeJ","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS12ODk1LTgzM3ItOGM0Nc4ABUeJ","packages":[{"ecosystem":"go","package_name":"github.com/fleetdm/fleet/v4","versions":[{"first_patched_version":"4.81.0","vulnerable_version_range":"\u003c 4.81.0"}],"purl":"pkg:go/github.com%2Ffleetdm%2Ffleet%2Fv4"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12ODk1LTgzM3ItOGM0Nc4ABUeJ/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS1tMmg2LTR4cHEtcXczbc4ABUZh","url":"https://github.com/advisories/GHSA-m2h6-4xpq-qw3m","title":"A Fleet team maintainer can transfer hosts from any team via missing source team authorization","description":"### Summary\n\nA broken access control vulnerability in Fleet's host transfer API allows a team maintainer to transfer hosts from any team into their own team, bypassing team isolation boundaries. Once transferred, the attacker gains full control over the stolen hosts, including the ability to execute scripts with root privileges.\n\n### Impact\n\nThe host transfer endpoints verify that the caller has write permission to the destination team but do not check whether the caller has any permission over the source team of the hosts being transferred.\n\nOnce hosts are transferred, the attacker's team MDM configuration is automatically applied to the stolen devices, and the attacker can execute scripts on them with root privileges. In multi-tenant Fleet deployments where teams represent business units, departments, or customers, this breaks all team isolation guarantees. A bulk transfer variant allows stealing all matching hosts fleet-wide in a single request.\n\nExploitation requires authentication as a team maintainer or team admin.\n\n### Workarounds\n\nThere is no workaround for this issue short of upgrading to a patched version. Organizations concerned about exploitation should audit host transfer activity in their Fleet logs for any unexpected team reassignments.\n\n### For more information\n\nIf there are any questions or comments about this advisory:\n\nEmail Fleet at [security@fleetdm.com](mailto:security@fleetdm.com)\nJoin #fleet in [osquery Slack](https://join.slack.com/t/osquery/shared_invite/zt-h29zm0gk-s2DBtGUTW4CFel0f0IjTEw)\n\n### Credits\n\nFleet thanks @secfox-ai for responsibly reporting this issue.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2026-03-27T20:24:19.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":4.9,"cvss_vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U","references":["https://github.com/fleetdm/fleet/security/advisories/GHSA-m2h6-4xpq-qw3m","https://github.com/fleetdm/fleet/releases/tag/fleet-v4.81.1","https://nvd.nist.gov/vuln/detail/CVE-2026-29180","https://github.com/advisories/GHSA-m2h6-4xpq-qw3m"],"source_kind":"github","identifiers":["GHSA-m2h6-4xpq-qw3m","CVE-2026-29180"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-03-27T21:00:09.339Z","updated_at":"2026-06-14T01:01:28.384Z","epss_percentage":0.00022,"epss_percentile":0.06561,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tMmg2LTR4cHEtcXczbc4ABUZh","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS1tMmg2LTR4cHEtcXczbc4ABUZh","packages":[{"ecosystem":"go","package_name":"github.com/fleetdm/fleet/v4","versions":[{"first_patched_version":"4.81.1","vulnerable_version_range":"\u003c 4.81.1"}],"purl":"pkg:go/github.com%2Ffleetdm%2Ffleet%2Fv4"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tMmg2LTR4cHEtcXczbc4ABUZh/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS05OWhqLTQ0dmctaGZjcM4ABUYn","url":"https://github.com/advisories/GHSA-99hj-44vg-hfcp","title":"Fleet's unbounded request body read allows remote Denial of Service","description":"### Summary\n\nFleet contained multiple unauthenticated HTTP endpoints that read request bodies without enforcing a size limit. An unauthenticated attacker could exploit this behavior by sending large or repeated HTTP payloads, causing excessive memory allocation and resulting in a denial-of-service (DoS) condition.\n\n### Impact\n\nAn unauthenticated attacker could cause the Fleet server process to exhaust available memory and restart by sending oversized or repeated HTTP requests to affected endpoints.\n\nThis vulnerability impacts **availability only**. There is:\n\n- No exposure of sensitive data\n- No authentication bypass\n- No privilege escalation\n- No integrity impact\n\n### Workarounds\n\nIf upgrading immediately is not possible, the following mitigations can reduce exposure:\n\n- Apply request body size limits at a reverse proxy or load balancer (e.g., NGINX, Envoy).\n- Restrict network access to endpoints to known IP ranges where feasible.\n- Monitor memory usage and restart frequency for abnormal patterns.\n\n### For More Information\n\nIf there are any questions or concerns about this advisory, please contact us at:\n\nEmail Fleet at [security@fleetdm.com](mailto:security@fleetdm.com)\n\n### Credits\n\nFleet thanks @fuzzztf for responsibly reporting this issue.","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2026-03-27T18:17:42.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":8.7,"cvss_vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N","references":["https://github.com/fleetdm/fleet/security/advisories/GHSA-99hj-44vg-hfcp","https://nvd.nist.gov/vuln/detail/CVE-2026-26061","https://github.com/advisories/GHSA-99hj-44vg-hfcp"],"source_kind":"github","identifiers":["GHSA-99hj-44vg-hfcp","CVE-2026-26061"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-03-27T19:00:08.582Z","updated_at":"2026-06-14T01:01:28.398Z","epss_percentage":0.00023,"epss_percentile":0.06687,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05OWhqLTQ0dmctaGZjcM4ABUYn","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS05OWhqLTQ0dmctaGZjcM4ABUYn","packages":[{"ecosystem":"go","package_name":"github.com/fleetdm/fleet/v4","versions":[{"first_patched_version":"4.43.5-0.20260113202849-bbc1aef2987d","vulnerable_version_range":"\u003c 4.43.5-0.20260113202849-bbc1aef2987d"}],"purl":"pkg:go/github.com%2Ffleetdm%2Ffleet%2Fv4"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05OWhqLTQ0dmctaGZjcM4ABUYn/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS0zNDU4LXI5NDMtaG14NM4ABUYm","url":"https://github.com/advisories/GHSA-3458-r943-hmx4","title":"Fleet: Password reset tokens remain valid after password change for 24 hours","description":"### Summary\n\nA vulnerability in Fleet’s password management logic could allow previously issued password reset tokens to remain valid after a user changes their password. As a result, a stale password reset token could be reused to reset the account password even after a defensive password change.\n\n### Impact\n\nIf an attacker had prior access to a valid password reset token, they could reuse that token within its validity window to reset the user’s password after the user has already changed it. This could result in temporary account takeover.\n\nExploitation requires prior compromise of a password reset token and is further constrained by the token’s 24-hour expiration period. The issue does not allow discovery of reset tokens, does not bypass authentication on its own, and does not affect accounts without an existing valid reset token.\n\n### Workarounds\n\nUntil patched, users who believe a password reset token may have been exposed should wait for the token to expire before reusing the account, or contact a Fleet administrator to invalidate active sessions.\n\n### For more information\n\nIf there are any questions or comments about this advisory:\n\nEmail Fleet at [security@fleetdm.com](mailto:security@fleetdm.com) \nJoin #fleet in [osquery Slack](https://join.slack.com/t/osquery/shared_invite/zt-h29zm0gk-s2DBtGUTW4CFel0f0IjTEw)\n\n### Credits\n\nFleet thanks @fuzzztf for responsibly reporting this issue.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2026-03-27T18:17:09.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":6.0,"cvss_vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N","references":["https://github.com/fleetdm/fleet/security/advisories/GHSA-3458-r943-hmx4","https://nvd.nist.gov/vuln/detail/CVE-2026-26060","https://github.com/advisories/GHSA-3458-r943-hmx4"],"source_kind":"github","identifiers":["GHSA-3458-r943-hmx4","CVE-2026-26060"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-03-27T19:00:08.582Z","updated_at":"2026-06-14T01:01:28.399Z","epss_percentage":0.00022,"epss_percentile":0.06561,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zNDU4LXI5NDMtaG14NM4ABUYm","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS0zNDU4LXI5NDMtaG14NM4ABUYm","packages":[{"ecosystem":"go","package_name":"github.com/fleetdm/fleet/v4","versions":[{"first_patched_version":"4.43.5-0.20260113202849-bbc1aef2987d","vulnerable_version_range":"\u003c 4.43.5-0.20260113202849-bbc1aef2987d"}],"purl":"pkg:go/github.com%2Ffleetdm%2Ffleet%2Fv4"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zNDU4LXI5NDMtaG14NM4ABUYm/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS0ydjZtLTZ4dzMtNjQ2N84ABS3U","url":"https://github.com/advisories/GHSA-2v6m-6xw3-6467","title":"Fleet: Sensitive Google Calendar credentials disclosed to low-privileged users","description":"### Summary\n\nA vulnerability in Fleet’s configuration API could expose Google Calendar service account credentials to authenticated users with low-privilege roles. This may allow unauthorized access to Google Calendar resources associated with the service account.\n\n### Impact\n\nFleet returns configuration data through an API endpoint that is accessible to authenticated users, including those with the lowest-privilege “Observer” role. In affected versions, Google Calendar service account credentials were not properly obfuscated before being returned.\n\nAs a result, a low-privilege user could retrieve the service account’s private key material. Depending on how the Google Calendar integration is configured, this could allow unauthorized access to calendar data or other Google Workspace resources associated with the service account.\n\nThis issue does not allow escalation of privileges within Fleet or access to device management functionality.\n\n### Patches\n\n- v4.80.1\n\n### Workarounds\n\nIf an immediate upgrade is not possible, administrators should remove the Google Calendar integration from Fleet and rotate the affected Google service account credentials.\n\n### For more information\n\nIf there are any questions or comments about this advisory:\n\nEmail Fleet at [security@fleetdm.com](mailto:security@fleetdm.com) \nJoin #fleet in [osquery Slack](https://join.slack.com/t/osquery/shared_invite/zt-h29zm0gk-s2DBtGUTW4CFel0f0IjTEw)\n\n### Credits\n\nFleet thanks @secfox-ai for responsibly reporting this issue.","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2026-02-26T19:53:30.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":7.1,"cvss_vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N","references":["https://github.com/fleetdm/fleet/security/advisories/GHSA-2v6m-6xw3-6467","https://nvd.nist.gov/vuln/detail/CVE-2026-27465","https://github.com/fleetdm/fleet/commit/23fc6804efe785f806f769d6be1f5f05b2e13ec2","https://github.com/advisories/GHSA-2v6m-6xw3-6467"],"source_kind":"github","identifiers":["GHSA-2v6m-6xw3-6467","CVE-2026-27465"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-02-26T20:00:08.215Z","updated_at":"2026-06-14T01:01:57.459Z","epss_percentage":0.00058,"epss_percentile":0.17698,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0ydjZtLTZ4dzMtNjQ2N84ABS3U","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS0ydjZtLTZ4dzMtNjQ2N84ABS3U","packages":[{"ecosystem":"go","package_name":"github.com/fleetdm/fleet/v4","versions":[{"first_patched_version":"4.80.1","vulnerable_version_range":"\u003c 4.80.1"}],"purl":"pkg:go/github.com%2Ffleetdm%2Ffleet%2Fv4"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0ydjZtLTZ4dzMtNjQ2N84ABS3U/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS01anZwLW05aDQtMjUzaM4ABS3S","url":"https://github.com/advisories/GHSA-5jvp-m9h4-253h","title":"Fleet: Authorization Bypass in certificate template batch deletion for team administrators","description":"### Summary\n\nA broken authorization check in Fleet’s certificate template deletion API could allow a team administrator to delete certificate templates belonging to other teams within the same Fleet instance.\n\n### Impact\n\nFleet supports certificate templates that are scoped to individual teams. In affected versions, the batch deletion endpoint validated authorization using a user-supplied team identifier but did not verify that the certificate template IDs being deleted actually belonged to that team.\n\nAs a result, a team administrator could delete certificate templates associated with other teams, potentially disrupting certificate-based workflows such as device enrollment, Wi-Fi authentication, VPN access, or other certificate-dependent configurations for the affected teams.\n\nThis issue does not allow privilege escalation, access to sensitive data, or compromise of Fleet’s control plane. Impact is limited to integrity and availability of certificate templates across teams.\n\n### Patches\n\n- v4.80.1\n\n### Workarounds\n\nIf an immediate upgrade is not possible, administrators should restrict access to certificate template management to trusted users and avoid delegating team administrator permissions where not strictly required.\n\n### For more information\n\nIf there are any questions or comments about this advisory:\n\nEmail Fleet at [security@fleetdm.com](mailto:security@fleetdm.com) \nJoin #fleet in [osquery Slack](https://join.slack.com/t/osquery/shared_invite/zt-h29zm0gk-s2DBtGUTW4CFel0f0IjTEw)\n\n### Credits\n\nFleet thanks @secfox-ai for responsibly reporting this issue.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2026-02-26T19:40:10.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":5.0,"cvss_vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U","references":["https://github.com/fleetdm/fleet/security/advisories/GHSA-5jvp-m9h4-253h","https://nvd.nist.gov/vuln/detail/CVE-2026-25963","https://github.com/fleetdm/fleet/commit/d27d0362db390fe835e3b5328525f25018df0fb7","https://github.com/advisories/GHSA-5jvp-m9h4-253h"],"source_kind":"github","identifiers":["GHSA-5jvp-m9h4-253h","CVE-2026-25963"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-02-26T20:00:08.215Z","updated_at":"2026-06-14T01:01:57.460Z","epss_percentage":0.0004,"epss_percentile":0.11833,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01anZwLW05aDQtMjUzaM4ABS3S","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS01anZwLW05aDQtMjUzaM4ABS3S","packages":[{"ecosystem":"go","package_name":"github.com/fleetdm/fleet/v4","versions":[{"first_patched_version":"4.80.1","vulnerable_version_range":"\u003c 4.80.1"}],"purl":"pkg:go/github.com%2Ffleetdm%2Ffleet%2Fv4"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01anZwLW05aDQtMjUzaM4ABS3S/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS05cG03LTZnMzYtNmo3OM4ABS3R","url":"https://github.com/advisories/GHSA-9pm7-6g36-6j78","title":"Fleet: Unauthenticated Android device disenrollment vulnerability via Pub/Sub endpoint ","description":"### Summary\n\nA vulnerability in Fleet’s Android MDM Pub/Sub handling could allow unauthenticated requests to trigger device unenrollment events. This may result in unauthorized removal of individual Android devices from Fleet management.\n\n### Impact\n\nIf Android MDM is enabled, an attacker could send a crafted request to the Android Pub/Sub endpoint to unenroll a targeted Android device from Fleet without authentication.\n\nThis issue does not grant access to Fleet, allow execution of commands, or provide visibility into device data. Impact is limited to disruption of Android device management for the affected device.\n\n### Workarounds\n\nIf an immediate upgrade is not possible, affected Fleet users should temporarily disable Android MDM.\n\n### For more information\n\nIf there any questions or comments about this advisory:\n\nEmail Fleet at [security@fleetdm.com](mailto:security@fleetdm.com)\nJoin #fleet in [osquery Slack](https://join.slack.com/t/osquery/shared_invite/zt-h29zm0gk-s2DBtGUTW4CFel0f0IjTEw)\n\n### Credits\n\nFleet thanks @secfox-ai for responsibly reporting this issue.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2026-02-26T19:38:56.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":6.3,"cvss_vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L","references":["https://github.com/fleetdm/fleet/security/advisories/GHSA-9pm7-6g36-6j78","https://nvd.nist.gov/vuln/detail/CVE-2026-24004","https://github.com/fleetdm/fleet/commit/24dd2257ae7127680a2f6cd1a4eee58a9c95dd34","https://github.com/advisories/GHSA-9pm7-6g36-6j78"],"source_kind":"github","identifiers":["GHSA-9pm7-6g36-6j78","CVE-2026-24004"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-02-26T20:00:08.215Z","updated_at":"2026-06-14T01:01:57.461Z","epss_percentage":0.00103,"epss_percentile":0.27683,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05cG03LTZnMzYtNmo3OM4ABS3R","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS05cG03LTZnMzYtNmo3OM4ABS3R","packages":[{"ecosystem":"go","package_name":"github.com/fleetdm/fleet/v4","versions":[{"first_patched_version":"4.80.1","vulnerable_version_range":"\u003c 4.80.1"}],"purl":"pkg:go/github.com%2Ffleetdm%2Ffleet%2Fv4"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05cG03LTZnMzYtNmo3OM4ABS3R/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS1wcHd4LTVqcTctcHgyd84ABS3Q","url":"https://github.com/advisories/GHSA-ppwx-5jq7-px2w","title":"Fleet: Device lock PIN can be predicted if lock time is known","description":"### Summary\n\nFleet generated device lock and wipe PINs using a predictable algorithm based solely on the current Unix timestamp. Because no secret key or additional entropy was used, the resulting PIN could potentially be derived if the approximate time the device was locked is known.\n\n### Impact\n\nFleet’s device lock and wipe commands generate a 6-digit PIN that is displayed to administrators for unlocking a device. In affected versions, this PIN was deterministically derived from the current timestamp.\n\nAn attacker with physical possession of a locked device and knowledge of the approximate time the lock command was issued could theoretically predict the correct PIN within a limited search window.\n\nHowever, successful exploitation is constrained by multiple factors:\n- Physical access to the device is required.\n- The approximate lock time must be known.\n- The operating system enforces rate limiting on PIN entry attempts.\n- Attempts would need to be spread over multiple days.\n- Device wipe operations would typically complete before sufficient attempts could be made.\n\nAs a result, this issue does not allow remote exploitation, fleet-wide compromise, or bypass of Fleet authentication controls.\n\n### Workarounds\n\nThere are no known workarounds for this issue. Customers should upgrade to a patched version.\n\n### For more information\n\nIf there are any questions or comments about this advisory:\n\nEmail Fleet at [security@fleetdm.com](mailto:security@fleetdm.com)\nJoin #fleet in [osquery Slack](https://join.slack.com/t/osquery/shared_invite/zt-h29zm0gk-s2DBtGUTW4CFel0f0IjTEw)\n\n### Credits\n\nFleet thanks @secfox-ai for responsibly reporting this issue.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2026-02-26T19:35:29.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":4.1,"cvss_vector":"CVSS:4.0/AV:P/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N","references":["https://github.com/fleetdm/fleet/security/advisories/GHSA-ppwx-5jq7-px2w","https://nvd.nist.gov/vuln/detail/CVE-2026-23999","https://github.com/fleetdm/fleet/commit/05ca0693621e6671fb95dfc5437b9f9ee6dd7047","https://github.com/advisories/GHSA-ppwx-5jq7-px2w"],"source_kind":"github","identifiers":["GHSA-ppwx-5jq7-px2w","CVE-2026-23999"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-02-26T20:00:08.215Z","updated_at":"2026-06-14T01:01:57.462Z","epss_percentage":0.00023,"epss_percentile":0.06521,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wcHd4LTVqcTctcHgyd84ABS3Q","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS1wcHd4LTVqcTctcHgyd84ABS3Q","packages":[{"ecosystem":"go","package_name":"github.com/fleetdm/fleet/v4","versions":[{"first_patched_version":"4.80.1","vulnerable_version_range":"\u003c 4.80.1"}],"purl":"pkg:go/github.com%2Ffleetdm%2Ffleet%2Fv4"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wcHd4LTVqcTctcHgyd84ABS3Q/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS00OXh3LXZmYzQtN3A0M84ABS2w","url":"https://github.com/advisories/GHSA-49xw-vfc4-7p43","title":"Fleet has an SQL Injection vulnerability via backtick escape in ORDER BY parameter","description":"### Summary\n\nA SQL Injection vulnerability in Fleet’s software versions API allowed authenticated users to inject arbitrary SQL expressions via the `order_key` query parameter. Due to unsafe use of `goqu.I()` when constructing the `ORDER BY` clause, specially crafted input could escape identifier quoting and be interpreted as executable SQL.\n\n### Impact\n\nAn authenticated attacker with access to the affected endpoint could inject SQL expressions into the underlying MySQL query. Although the injection occurs in an `ORDER BY` context, it is sufficient to enable blind SQL injection techniques that can disclose database information through conditional expressions that affect result ordering. Crafted expressions may also cause excessive computation or query failures, potentially leading to degraded performance or denial of service.\n\nNo direct evidence of reliable data modification or stacked query execution was demonstrated.\n\n### Workarounds\n\nIf an immediate upgrade is not possible, users should restrict access to the affected endpoint to trusted roles only and ensure that any user-supplied sort or column parameters are strictly allow-listed at the application or proxy layer.\n\n### For more information\n\nIf there are any questions or comments about this advisory:\n\nEmail fleet at [security@fleetdm.com](mailto:security@fleetdm.com) \nJoin #fleet in [osquery Slack](https://join.slack.com/t/osquery/shared_invite/zt-h29zm0gk-s2DBtGUTW4CFel0f0IjTEw)\n\n### Credits\n\nWe thank @fuzzztf for responsibly reporting this issue.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2026-02-26T15:14:12.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":5.1,"cvss_vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:U","references":["https://github.com/fleetdm/fleet/security/advisories/GHSA-49xw-vfc4-7p43","https://nvd.nist.gov/vuln/detail/CVE-2026-26186","https://github.com/fleetdm/fleet/releases/tag/fleet-v4.80.1","https://github.com/advisories/GHSA-49xw-vfc4-7p43"],"source_kind":"github","identifiers":["GHSA-49xw-vfc4-7p43","CVE-2026-26186"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-02-26T16:00:07.715Z","updated_at":"2026-06-14T01:01:57.476Z","epss_percentage":0.0006,"epss_percentile":0.1854,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00OXh3LXZmYzQtN3A0M84ABS2w","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS00OXh3LXZmYzQtN3A0M84ABS2w","packages":[{"ecosystem":"go","package_name":"github.com/fleetdm/fleet/v4","versions":[{"first_patched_version":"4.80.1","vulnerable_version_range":"\u003c 4.80.1"}],"purl":"pkg:go/github.com%2Ffleetdm%2Ffleet%2Fv4"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00OXh3LXZmYzQtN3A0M84ABS2w/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS00cjVyLWNjcjYtcTZmNs4ABRSo","url":"https://github.com/advisories/GHSA-4r5r-ccr6-q6f6","title":"Fleet has an Access Control vulnerability in debug/pprof endpoints","description":"### Summary\n\nA broken access control issue in Fleet allowed authenticated users to access debug and profiling endpoints regardless of role. As a result, low-privilege users could view internal server diagnostics and trigger resource-intensive profiling operations.\n\n### Impact\n\nFleet’s debug/pprof endpoints are accessible to any authenticated user regardless of role, including the lowest-privilege “Observer” role. This allows low-privilege users to access sensitive server internals, including runtime profiling data and in-memory application state, and to trigger CPU-intensive profiling operations that could lead to denial of service.\n\n### Patches\n\n- 4.78.3\n- 4.77.1\n- 4.76.2\n- 4.75.2\n- 4.53.3\n\n### Workarounds\n\nIf an immediate upgrade is not possible, users should put the debug/pprof endpoints behind an IP allowlist. \n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\nEmail us at [security@fleetdm.com](mailto:security@fleetdm.com)\nJoin #fleet in [osquery Slack](https://join.slack.com/t/osquery/shared_invite/zt-h29zm0gk-s2DBtGUTW4CFel0f0IjTEw)\n\n### Credits\n\nWe thank @secfox-ai for responsibly reporting this issue.","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2026-01-20T20:55:14.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":7.1,"cvss_vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N","references":["https://github.com/fleetdm/fleet/security/advisories/GHSA-4r5r-ccr6-q6f6","https://github.com/fleetdm/fleet/commit/5c030e32a3a9bc512355b5e1bf19636e4e6d0317","https://nvd.nist.gov/vuln/detail/CVE-2026-23517","https://pkg.go.dev/vuln/GO-2026-4334","https://github.com/advisories/GHSA-4r5r-ccr6-q6f6"],"source_kind":"github","identifiers":["GHSA-4r5r-ccr6-q6f6","CVE-2026-23517"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-01-20T21:00:08.204Z","updated_at":"2026-06-17T17:02:47.757Z","epss_percentage":0.00131,"epss_percentile":0.32049,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00cjVyLWNjcjYtcTZmNs4ABRSo","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS00cjVyLWNjcjYtcTZmNs4ABRSo","packages":[{"ecosystem":"go","package_name":"github.com/fleetdm/fleet/v4","versions":[{"first_patched_version":"4.78.3-0.20260112221730-5c030e32a3a9","vulnerable_version_range":"\u003c 4.78.3-0.20260112221730-5c030e32a3a9"}],"purl":"pkg:go/github.com%2Ffleetdm%2Ffleet%2Fv4"},{"ecosystem":"go","package_name":"github.com/fleetdm/fleet","versions":[{"first_patched_version":"4.75.2","vulnerable_version_range":"\u003e= 4.75.0, \u003c 4.75.2"},{"first_patched_version":"4.76.2","vulnerable_version_range":"\u003e= 4.76.0, \u003c 4.76.2"},{"first_patched_version":"4.77.1","vulnerable_version_range":"\u003e= 4.77.0, \u003c 4.77.1"},{"first_patched_version":"4.78.3","vulnerable_version_range":"\u003e= 4.78.0, \u003c 4.78.3"}],"purl":"pkg:go/github.com%2Ffleetdm%2Ffleet"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00cjVyLWNjcjYtcTZmNs4ABRSo/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS1nZnB3LWpndnItY3c0as4ABRSn","url":"https://github.com/advisories/GHSA-gfpw-jgvr-cw4j","title":"Fleet Windows MDM endpoint has a Cross-site Scripting vulnerability","description":"### Summary\n\nA cross-site scripting (XSS) vulnerability in Fleet’s Windows MDM authentication flow could allow an attacker to compromise a Fleet user account. In certain cases, this could lead to administrative access and the ability to perform privileged actions on managed devices.\n\n### Impact\n\nIf Windows MDM is enabled, an attacker could exploit a cross-site scripting (XSS) vulnerability by convincing an authenticated Fleet user to visit a malicious link. Successful exploitation could allow retrieval of the user’s Fleet authentication token from their browser.\n\nA compromised authentication token may grant administrative access to the Fleet API, allowing an attacker to perform privileged actions such as deploying scripts to managed hosts.\n\nThis issue does not allow unauthenticated access and does not affect instances where Windows MDM is disabled.\n\n### Patches\n\n- 4.78.2\n- 4.77.1\n- 4.76.2\n- 4.75.2\n- 4.53.3\n\n### Workarounds\n\nIf an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\nEmail us at [security@fleetdm.com](mailto:security@fleetdm.com)\nJoin #fleet in [osquery Slack](https://join.slack.com/t/osquery/shared_invite/zt-h29zm0gk-s2DBtGUTW4CFel0f0IjTEw)\n\n### Credits\n\nWe thank @secfox-ai for responsibly reporting this issue.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2026-01-20T20:52:17.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":5.5,"cvss_vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H","references":["https://github.com/fleetdm/fleet/security/advisories/GHSA-gfpw-jgvr-cw4j","https://github.com/fleetdm/fleet/commit/0e6c790803d1b4407c5b4b41a67a37864a3d3573","https://nvd.nist.gov/vuln/detail/CVE-2026-22808","https://github.com/advisories/GHSA-gfpw-jgvr-cw4j"],"source_kind":"github","identifiers":["GHSA-gfpw-jgvr-cw4j","CVE-2026-22808"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-01-20T21:00:08.204Z","updated_at":"2026-06-17T17:02:47.757Z","epss_percentage":0.00047,"epss_percentile":0.14726,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nZnB3LWpndnItY3c0as4ABRSn","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS1nZnB3LWpndnItY3c0as4ABRSn","packages":[{"ecosystem":"go","package_name":"github.com/fleetdm/fleet/v4","versions":[{"first_patched_version":"4.43.5-0.20260111020427-0e6c790803d1","vulnerable_version_range":"\u003c 4.43.5-0.20260111020427-0e6c790803d1"}],"purl":"pkg:go/github.com%2Ffleetdm%2Ffleet%2Fv4"},{"ecosystem":"go","package_name":"github.com/fleetdm/fleet","versions":[{"first_patched_version":"4.75.2","vulnerable_version_range":"\u003e= 4.75.0, \u003c 4.75.2"},{"first_patched_version":"4.76.2","vulnerable_version_range":"\u003e= 4.76.0, \u003c 4.76.2"},{"first_patched_version":"4.77.1","vulnerable_version_range":"\u003e= 4.77.0, \u003c 4.77.1"},{"first_patched_version":"4.78.2","vulnerable_version_range":"\u003e= 4.78.0, \u003c 4.78.2"}],"purl":"pkg:go/github.com%2Ffleetdm%2Ffleet"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nZnB3LWpndnItY3c0as4ABRSn/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS01Mmp4LWc2bTUtaDczNc4ABFLX","url":"https://github.com/advisories/GHSA-52jx-g6m5-h735","title":"Fleet has SAML authentication vulnerability due to improper SAML response validation","description":"### Summary\n\nA vulnerability in Fleet’s SAML authentication handling could allow an attacker to forge authentication assertions and gain unauthorized access to Fleet. In certain configurations, this could result in the creation of new user accounts, including administrative accounts. This issue affects Fleet deployments using single sign-on (SSO).\n\n### Impact\n\nIn vulnerable versions of Fleet, an attacker could craft a specially-formed SAML response to:\n\n- Forge authentication assertions, potentially impersonating legitimate users.\n- If Just-In-Time (JIT) provisioning is enabled, the attacker could provision a new administrative user account.\n- If MDM enrollment is enabled, certain endpoints could be used to create new accounts tied to forged assertions.\n\nThis could allow unauthorized access to Fleet, including administrative access, visibility into device data, and modification of configuration. \n\n### Patches\n\nThis issue is addressed in commit [fc96cc4](https://github.com/fleetdm/fleet/commit/fc96cc4e91047250afb12f65ad70e90b30a7fb1c) and is available in Fleet version 4.64.2.\n\nThe following backport versions also address this issue: \n\n- 4.63.2\n- 4.62.4\n- 4.58.1\n- 4.53.2\n\n### Workarounds\n\nIf an immediate upgrade is not possible, Fleet users should temporarily disable [single-sign-on (SSO)](https://fleetdm.com/docs/deploy/single-sign-on-sso) and use password authentication.\n\n### Credit\n\nThank you @hakivvi, as well as Jeffrey Hofmann and Colby Morgan from the Robinhood Red Team for finding and reporting this vulnerability using our [responsible disclosure process](https://github.com/fleetdm/fleet/blob/main/SECURITY.md).\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n- Email us at security@fleetdm.com\n- Join #fleet in [osquery Slack](https://join.slack.com/t/osquery/shared_invite/zt-h29zm0gk-s2DBtGUTW4CFel0f0IjTEw)","origin":"UNSPECIFIED","severity":"CRITICAL","published_at":"2025-03-06T19:12:27.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":9.3,"cvss_vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N","references":["https://github.com/fleetdm/fleet/security/advisories/GHSA-52jx-g6m5-h735","https://github.com/fleetdm/fleet/commit/718c95e47ad010ad6b8ceb3f3460e921fbfc53bb","https://github.com/fleetdm/fleet/releases/tag/fleet-v4.64.2","https://nvd.nist.gov/vuln/detail/CVE-2025-27509","https://pkg.go.dev/vuln/GO-2025-3505","https://github.com/advisories/GHSA-52jx-g6m5-h735"],"source_kind":"github","identifiers":["GHSA-52jx-g6m5-h735","CVE-2025-27509"],"repository_url":"https://github.com/fleetdm/fleet","blast_radius":7.236806628567886,"created_at":"2025-03-06T20:07:57.873Z","updated_at":"2026-06-19T00:04:07.296Z","epss_percentage":0.0032,"epss_percentile":0.55553,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01Mmp4LWc2bTUtaDczNc4ABFLX","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS01Mmp4LWc2bTUtaDczNc4ABFLX","packages":[{"ecosystem":"go","package_name":"github.com/fleetdm/fleet/v4","versions":[{"first_patched_version":"4.53.2","vulnerable_version_range":"\u003c 4.53.2"},{"first_patched_version":"4.58.1","vulnerable_version_range":"\u003e= 4.54.0, \u003c 4.58.1"},{"first_patched_version":"4.62.4","vulnerable_version_range":"\u003e= 4.62.0, \u003c 4.62.4"},{"first_patched_version":"4.63.2","vulnerable_version_range":"\u003e= 4.63.0, \u003c 4.63.2"},{"first_patched_version":"4.64.2","vulnerable_version_range":"\u003e= 4.64.0, \u003c 4.64.2"}],"purl":"pkg:go/github.com%2Ffleetdm%2Ffleet%2Fv4"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01Mmp4LWc2bTUtaDczNc4ABFLX/related_packages","related_advisories":[]},{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXczd2YtY2Z4My02Z2N4","url":"https://github.com/advisories/GHSA-w3wf-cfx3-6gcx","title":"SAML authentication vulnerability due to stdlib XML parsing","description":"### Impact\nDue to issues in Go's standard library XML parsing, a valid SAML response may be mutated by an attacker to modify the trusted document. This can result in allowing unverified logins from a SAML IdP.\n\nUsers that configure Fleet with SSO login may be vulnerable to this issue.\n\n### Patches\nThis issue is patched in 3.5.1 using https://github.com/mattermost/xml-roundtrip-validator.\n\n### Workarounds\nIf upgrade to 3.5.1 is not possible, users should disable SSO authentication in Fleet.\n\n### References\nSee https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/ for more information about the underlying vulnerabilities.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [security@fleetdm.com](mailto:security@fleetdm.com)\n* Join #fleet in [osquery Slack](https://join.slack.com/t/osquery/shared_invite/zt-h29zm0gk-s2DBtGUTW4CFel0f0IjTEw)","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2022-02-11T23:59:14.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://github.com/fleetdm/fleet/security/advisories/GHSA-w3wf-cfx3-6gcx","https://nvd.nist.gov/vuln/detail/CVE-2020-26276","https://github.com/fleetdm/fleet/commit/57812a532e5f749c8e18c6f6a652eca65c083607","https://github.com/fleetdm/fleet/blob/master/CHANGELOG.md#fleet-351-dec-14-2020","https://github.com/mattermost/xml-roundtrip-validator","https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities","https://github.com/advisories/GHSA-w3wf-cfx3-6gcx"],"source_kind":"github","identifiers":["GHSA-w3wf-cfx3-6gcx","CVE-2020-26276"],"repository_url":"https://github.com/fleetdm/fleet","blast_radius":0.0,"created_at":"2022-12-21T16:12:35.863Z","updated_at":"2026-06-19T00:10:19.538Z","epss_percentage":0.00978,"epss_percentile":0.76507,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXczd2YtY2Z4My02Z2N4","html_url":"https://advisories.ecosyste.ms/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXczd2YtY2Z4My02Z2N4","packages":[{"ecosystem":"go","package_name":"github.com/fleetdm/fleet/v4","versions":[{"first_patched_version":"3.5.1","vulnerable_version_range":"\u003c 3.5.1"}],"purl":"pkg:go/github.com%2Ffleetdm%2Ffleet%2Fv4","statistics":{"dependent_packages_count":1,"dependent_repos_count":6,"downloads":null,"downloads_period":null},"affected_versions":[],"unaffected_versions":["v4.0.0","v4.0.1","v4.1.0","v4.28.0","v4.36.0","v4.37.0","v4.43.4","v4.46.0","v4.73.3","v4.75.0","v4.75.2","v4.76.0","v4.76.2","v4.77.0","v4.77.1","v4.78.0","v4.78.1","v4.78.2","v4.78.3","v4.79.0","v4.79.1","v4.80.0","v4.80.1","v4.80.2","v4.80.3","v4.81.0","v4.81.1","v4.81.2","v4.81.3","v4.82.0","v4.82.1","v4.82.2","v4.83.0","v4.83.1","v4.83.2","v4.84.0","v4.84.1","v4.84.2","v4.84.3","v4.85.0","v4.85.1","v4.85.2","v4.86.0","v4.86.1","v4.86.2"]}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXczd2YtY2Z4My02Z2N4/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS1jaDY4LTdjZjQtMzV2cs0oag","url":"https://github.com/advisories/GHSA-ch68-7cf4-35vr","title":"Limited ability to spoof SAML authentication with missing audience verification in Fleet","description":"### Impact\n\nThis impacts deployments using SAML SSO in two specific cases:\n\n1. A malicious or compromised Service Provider (SP) could reuse the SAML response to log into Fleet as a user -- only if the user has an account with the same email in Fleet, _and_ the user signs into the malicious SP via SAML SSO from the same Identity Provider (IdP) configured with Fleet.\n2. A user with an account in Fleet could reuse a SAML response intended for another SP to log into Fleet. This is only a concern if the user is blocked from Fleet in the IdP, but continues to have an account in Fleet. If the user is blocked from the IdP entirely, this cannot be exploited.\n\n### Patches\nFleet 4.9.1 resolves this issue.\n\n### Workarounds and good practices\n* Reduce the length of sessions on your IdP to reduce the window for malicious re-use.\n* Limit the amount of SAML Service Providers/Applications used by user accounts with access to Fleet.\n* When removing access to Fleet in the IdP, delete the Fleet user from Fleet as well.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Join us in the #fleet channel of [osquery Slack](https://join.slack.com/t/osquery/shared_invite/zt-h29zm0gk-s2DBtGUTW4CFel0f0IjTEw).\n* Email us at [security@fleetdm.com](mailto:security@fleetdm.com).","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2022-02-07T21:57:38.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":5.3,"cvss_vector":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N","references":["https://github.com/fleetdm/fleet/security/advisories/GHSA-ch68-7cf4-35vr","https://github.com/fleetdm/fleet/commit/35d5a7b285f15ddd47486fa656e8b1acf3d48374","https://nvd.nist.gov/vuln/detail/CVE-2022-23600","https://github.com/advisories/GHSA-ch68-7cf4-35vr"],"source_kind":"github","identifiers":["GHSA-ch68-7cf4-35vr","CVE-2022-23600"],"repository_url":"https://github.com/fleetdm/fleet","blast_radius":0.0,"created_at":"2022-12-21T16:12:35.913Z","updated_at":"2026-06-19T00:10:19.539Z","epss_percentage":0.00268,"epss_percentile":0.50556,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jaDY4LTdjZjQtMzV2cs0oag","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS1jaDY4LTdjZjQtMzV2cs0oag","packages":[{"ecosystem":"go","package_name":"github.com/fleetdm/fleet/v4","versions":[{"first_patched_version":"4.9.1","vulnerable_version_range":"\u003c 4.9.1"}],"purl":"pkg:go/github.com%2Ffleetdm%2Ffleet%2Fv4","statistics":{"dependent_packages_count":1,"dependent_repos_count":6,"downloads":null,"downloads_period":null},"affected_versions":["v4.0.0","v4.0.0-rc1","v4.0.0-rc2","v4.0.0-rc3","v4.0.1","v4.1.0"],"unaffected_versions":["v4.28.0","v4.36.0","v4.37.0","v4.43.4","v4.46.0","v4.73.3","v4.75.0","v4.75.2","v4.76.0","v4.76.2","v4.77.0","v4.77.1","v4.78.0","v4.78.1","v4.78.2","v4.78.3","v4.79.0","v4.79.1","v4.80.0","v4.80.1","v4.80.2","v4.80.3","v4.81.0","v4.81.1","v4.81.2","v4.81.3","v4.82.0","v4.82.1","v4.82.2","v4.83.0","v4.83.1","v4.83.2","v4.84.0","v4.84.1","v4.84.2","v4.84.3","v4.85.0","v4.85.1","v4.85.2","v4.86.0","v4.86.1","v4.86.2"]}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jaDY4LTdjZjQtMzV2cs0oag/related_packages","related_advisories":[]}],"docker_usage_url":"https://docker.ecosyste.ms/usage/go/github.com/fleetdm/fleet/v4","docker_dependents_count":null,"docker_downloads_count":null,"usage_url":"https://repos.ecosyste.ms/usage/go/github.com/fleetdm/fleet/v4","dependent_repositories_url":"https://repos.ecosyste.ms/api/v1/usage/go/github.com/fleetdm/fleet/v4/dependencies","status":null,"funding_links":[],"critical":null,"issue_metadata":{"last_synced_at":"2026-05-22T23:03:00.228Z","issues_count":7417,"pull_requests_count":13050,"avg_time_to_close_issue":7013128.81838734,"avg_time_to_close_pull_request":415388.19206914084,"issues_closed_count":3979,"pull_requests_closed_count":9834,"pull_request_authors_count":208,"issue_authors_count":303,"avg_comments_per_issue":2.3440744236214104,"avg_comments_per_pull_request":0.7391570881226054,"merged_pull_requests_count":8816,"bot_issues_count":95,"bot_pull_requests_count":392,"past_year_issues_count":1243,"past_year_pull_requests_count":2125,"past_year_avg_time_to_close_issue":2153553.5934959347,"past_year_avg_time_to_close_pull_request":211899.54326561323,"past_year_issues_closed_count":492,"past_year_pull_requests_closed_count":1329,"past_year_pull_request_authors_count":103,"past_year_issue_authors_count":103,"past_year_avg_comments_per_issue":1.2059533386967014,"past_year_avg_comments_per_pull_request":0.8075294117647058,"past_year_bot_issues_count":25,"past_year_bot_pull_requests_count":47,"past_year_merged_pull_requests_count":1210,"issues_url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/repositories/fleetdm%2Ffleet/issues","maintainers":[{"login":"noahtalerman","count":1571,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/noahtalerman"},{"login":"getvictor","count":1104,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/getvictor"},{"login":"RachelElysia","count":963,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/RachelElysia"},{"login":"lukeheath","count":843,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/lukeheath"},{"login":"iansltx","count":769,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/iansltx"},{"login":"rachaelshaw","count":706,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/rachaelshaw"},{"login":"lucasmrod","count":660,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/lucasmrod"},{"login":"roperzh","count":551,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/roperzh"},{"login":"marko-lisica","count":523,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/marko-lisica"},{"login":"georgekarrv","count":492,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/georgekarrv"},{"login":"mna","count":447,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/mna"},{"login":"Sampfluger88","count":442,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/Sampfluger88"},{"login":"mikermcneil","count":423,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/mikermcneil"},{"login":"allenhouchins","count":422,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/allenhouchins"},{"login":"mike-j-thomas","count":408,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/mike-j-thomas"},{"login":"dantecatalfamo","count":318,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/dantecatalfamo"},{"login":"ddribeiro","count":217,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/ddribeiro"},{"login":"jmwatts","count":179,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/jmwatts"},{"login":"sharon-fdm","count":177,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/sharon-fdm"},{"login":"ksatter","count":148,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/ksatter"},{"login":"JordanMontgomery","count":121,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/JordanMontgomery"},{"login":"Patagonia121","count":120,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/Patagonia121"},{"login":"harrisonravazzolo","count":109,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/harrisonravazzolo"},{"login":"zwass","count":108,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/zwass"},{"login":"qawolf-fleet","count":72,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/qawolf-fleet"},{"login":"hollidayn","count":70,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/hollidayn"},{"login":"pacamaster","count":63,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/pacamaster"},{"login":"MagnusHJensen","count":53,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/MagnusHJensen"},{"login":"AndreyKizimenko","count":47,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/AndreyKizimenko"},{"login":"zhumo","count":42,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/zhumo"},{"login":"sabrinabuckets","count":40,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/sabrinabuckets"},{"login":"kc9wwh","count":39,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/kc9wwh"},{"login":"SFriendLee","count":38,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/SFriendLee"},{"login":"cdcme","count":22,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/cdcme"},{"login":"defensivedepth","count":21,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/defensivedepth"},{"login":"jahzielv","count":18,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/jahzielv"},{"login":"ambrusps","count":16,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/ambrusps"},{"login":"AdamBaali","count":15,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/AdamBaali"},{"login":"spalmesano0","count":10,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/spalmesano0"},{"login":"jakestenger","count":8,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/jakestenger"},{"login":"kitzy","count":3,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/kitzy"},{"login":"bettapizza","count":3,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/bettapizza"},{"login":"Illbjorn","count":1,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/Illbjorn"},{"login":"luisrca-tech","count":1,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/luisrca-tech"},{"login":"stokkelol","count":1,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/stokkelol"},{"login":"GrayW","count":1,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/GrayW"},{"login":"hetref","count":1,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/hetref"},{"login":"dominikkawka","count":1,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/dominikkawka"},{"login":"WardDeb","count":1,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/WardDeb"},{"login":"lordscoba","count":1,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/lordscoba"},{"login":"CaioVSG","count":1,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/CaioVSG"},{"login":"NickBlee","count":1,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/NickBlee"},{"login":"Unearthlyglow","count":1,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/Unearthlyglow"},{"login":"phtardif1","count":1,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/phtardif1"}],"active_maintainers":[{"login":"noahtalerman","count":361,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/noahtalerman"},{"login":"iansltx","count":197,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/iansltx"},{"login":"getvictor","count":166,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/getvictor"},{"login":"allenhouchins","count":135,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/allenhouchins"},{"login":"lucasmrod","count":130,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/lucasmrod"},{"login":"RachelElysia","count":124,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/RachelElysia"},{"login":"lukeheath","count":106,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/lukeheath"},{"login":"rachaelshaw","count":98,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/rachaelshaw"},{"login":"georgekarrv","count":87,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/georgekarrv"},{"login":"marko-lisica","count":74,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/marko-lisica"},{"login":"JordanMontgomery","count":70,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/JordanMontgomery"},{"login":"Sampfluger88","count":60,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/Sampfluger88"},{"login":"jmwatts","count":58,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/jmwatts"},{"login":"dantecatalfamo","count":54,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/dantecatalfamo"},{"login":"MagnusHJensen","count":53,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/MagnusHJensen"},{"login":"AndreyKizimenko","count":47,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/AndreyKizimenko"},{"login":"mna","count":46,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/mna"},{"login":"mike-j-thomas","count":44,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/mike-j-thomas"},{"login":"sharon-fdm","count":38,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/sharon-fdm"},{"login":"kc9wwh","count":27,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/kc9wwh"},{"login":"ddribeiro","count":25,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/ddribeiro"},{"login":"harrisonravazzolo","count":25,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/harrisonravazzolo"},{"login":"cdcme","count":22,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/cdcme"},{"login":"mikermcneil","count":22,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/mikermcneil"},{"login":"ksatter","count":21,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/ksatter"},{"login":"jahzielv","count":17,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/jahzielv"},{"login":"AdamBaali","count":15,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/AdamBaali"},{"login":"spalmesano0","count":10,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/spalmesano0"},{"login":"zwass","count":9,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/zwass"},{"login":"jakestenger","count":8,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/jakestenger"},{"login":"SFriendLee","count":7,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/SFriendLee"},{"login":"hollidayn","count":5,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/hollidayn"},{"login":"Patagonia121","count":4,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/Patagonia121"},{"login":"kitzy","count":3,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/kitzy"},{"login":"bettapizza","count":2,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/bettapizza"},{"login":"Illbjorn","count":1,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/Illbjorn"},{"login":"NickBlee","count":1,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/NickBlee"},{"login":"GrayW","count":1,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/GrayW"},{"login":"CaioVSG","count":1,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/CaioVSG"}]},"versions_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2Ffleetdm%2Ffleet%2Fv4/versions","version_numbers_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2Ffleetdm%2Ffleet%2Fv4/version_numbers","latest_version_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2Ffleetdm%2Ffleet%2Fv4/latest_version","dependent_packages_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2Ffleetdm%2Ffleet%2Fv4/dependent_packages","related_packages_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2Ffleetdm%2Ffleet%2Fv4/related_packages","codemeta_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2Ffleetdm%2Ffleet%2Fv4/codemeta","maintainers":[]}