PatchSiren cyber security CVE debrief
CVE-2026-24899 fleetdm CVE debrief
Fleet's Windows MDM enrollment flow prior to version 4.82.0 fails to validate JWT audience (`aud`) and issuer (`iss`) claims when verifying Azure AD authentication tokens. The application uses Microsoft's multi-tenant JWKS endpoint for signature validation but accepts tokens from any Azure AD tenant, not just the configured tenant. An attacker with access to any valid Azure AD tenant can obtain a Microsoft-signed access token with appropriate scopes and use it to authenticate to Fleet's MDM endpoints. This enables unauthorized device enrollment and access to MDM management APIs, potentially exposing sensitive enrollment secrets embedded in MDM command payloads. The vulnerability stems from incomplete JWT validation logic that verifies cryptographic signatures without enforcing tenant-bound claims.
- Vendor
- fleetdm
- Product
- fleet
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-14
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-14
- Advisory updated
- 2026-05-26
Who should care
Organizations using Fleet for Windows device management with MDM functionality enabled. Security teams responsible for MDM infrastructure, identity and access management administrators configuring Azure AD integrations, and endpoint security engineers managing device enrollment workflows. Particularly critical for environments where Fleet MDM endpoints are internet-accessible.
Technical summary
The vulnerability exists in Fleet's Windows MDM enrollment implementation where JWT validation is incomplete. While signatures are verified against Microsoft's multi-tenant JWKS endpoint, the `aud` (audience) and `iss` (issuer) claims are not validated against the expected tenant configuration. This allows tokens from any Azure AD tenant—signed by Microsoft's keys—to pass authentication. The attack requires: (1) Windows MDM enabled in Fleet, (2) ability to obtain a valid Azure AD access token from any tenant with required scopes, and (3) network access to Fleet's MDM endpoints. Successful exploitation grants MDM enrollment capabilities and API access, with potential secondary exposure of enrollment secrets in command payloads. The fix in 4.82.0 adds proper claim validation to bind token acceptance to the configured Azure AD tenant.
Defensive priority
high
Recommended defensive actions
- Upgrade Fleet to version 4.82.0 or later to obtain the patch for JWT claim validation
- If immediate upgrade is not possible, temporarily disable Windows MDM functionality
- Review MDM enrollment logs for unauthorized device enrollments from unexpected Azure AD tenants
- Audit MDM command history for exposure of sensitive enrollment secrets
- Verify JWT validation logic enforces both `aud` and `iss` claims against configured tenant boundaries
- Review and rotate any enrollment secrets that may have been exposed through MDM command payloads
Evidence notes
NVD analyzed status with CVSS 4.0 vector. GitHub Security Advisory GHSA-ffg9-j72f-j6xm published as vendor advisory. Patch released in fleet-v4.82.0. CWE-290 (Authentication Bypass by Spoofing) identified as primary weakness.
Official resources
-
CVE-2026-24899 CVE record
CVE.org
-
CVE-2026-24899 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Release Notes
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
2026-05-14T20:17:01.873Z