PatchSiren cyber security CVE debrief
CVE-2026-46356 Fleetdm CVE debrief
CVE-2026-46356 affects Fleet versions before 4.80.1. Fleet’s client-IP extraction logic accepted forwarded IP headers without verifying that they came from a trusted proxy, which let unauthenticated attackers vary those headers and evade per-IP rate limits and IP bans. The practical risk is increased exposure of public Fleet deployments to brute-force login and credential-stuffing attempts, especially when Fleet is reachable directly from the internet.
- Vendor
- Fleetdm
- Product
- Fleet
- CVSS
- MEDIUM 6.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-14
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-14
- Advisory updated
- 2026-05-18
Who should care
Fleet administrators, especially those operating internet-facing instances, should care most. Teams that rely on Fleet’s per-IP login throttling or ban logic, and environments without a reverse proxy or WAF that overwrites forwarded-IP headers, have the highest exposure.
Technical summary
According to the vendor advisory and release notes referenced by NVD, Fleet derived client IPs from True-Client-IP, X-Real-IP, and X-Forwarded-For headers without validating that the headers originated from a trusted proxy. That IP value was then used as the key for rate limiting and IP-ban decisions. Because an attacker could change the header value on each request, requests could appear to come from different clients, defeating per-IP controls on sensitive endpoints such as login. The issue is identified as CWE-290 and is fixed in Fleet 4.80.1.
Defensive priority
Medium priority overall, but higher urgency for public-facing Fleet deployments. Upgrade promptly if Fleet is exposed to the internet, because the flaw weakens a control that protects authentication endpoints. If immediate upgrading is not possible, compensate at the proxy or WAF layer and ensure forwarded-IP headers are normalized by a trusted reverse proxy.
Recommended defensive actions
- Upgrade Fleet to version 4.80.1 or later.
- Place Fleet behind a trusted reverse proxy or WAF that overwrites forwarded-IP headers with the true client address.
- Apply rate limiting at the proxy or WAF layer rather than relying only on application-level IP throttling.
- Review public exposure of Fleet login and other sensitive endpoints and reduce direct internet access where possible.
- Validate that any proxy chain is configured so Fleet only trusts IP headers from known intermediaries.
Evidence notes
The CVE record and NVD entry show the issue was published on 2026-05-14 and modified on 2026-05-18. NVD references the Fleet 4.80.1 release notes and the vendor advisory. The supplied description states that the vulnerable behavior was unauthenticated, affected header-based client-IP extraction, and impacted rate limiting and IP-ban decisions, with version 4.80.1 containing the patch.
Official resources
-
CVE-2026-46356 CVE record
CVE.org
-
CVE-2026-46356 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Release Notes
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
Publicly disclosed on 2026-05-14 and updated in the official record on 2026-05-18. The patch is available in Fleet 4.80.1.