CVE-2026-46356 affects Fleet versions before 4.80.1. Fleet’s client-IP extraction logic accepted forwarded IP headers without verifying that they came from a trusted proxy, which let unauthenticated attackers vary those headers and evade per-IP rate limits and IP bans. The practical risk is increased exposure of public Fleet deployments to brute-force login and credential-stuffing attempts, especially whe [truncated]
CVE-2026-26191 is a Fleet device-management vulnerability in the software installer pipeline. If a crafted software package is uploaded and later uninstalled, unsanitized metadata from that package can be inserted into auto-generated uninstall scripts. When those scripts run on managed endpoints, an attacker could trigger unintended command execution with elevated privileges: root on macOS/Linux or SYSTEM [truncated]
Fleet's Windows MDM enrollment flow prior to version 4.82.0 fails to validate JWT audience (`aud`) and issuer (`iss`) claims when verifying Azure AD authentication tokens. The application uses Microsoft's multi-tenant JWKS endpoint for signature validation but accepts tokens from any Azure AD tenant, not just the configured tenant. An attacker with access to any valid Azure AD tenant can obtain a Microsof [truncated]