PatchSiren

fleetdm CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM Fleetdm CVE published 2026-05-14

CVE-2026-46356

CVE-2026-46356 affects Fleet versions before 4.80.1. Fleet’s client-IP extraction logic accepted forwarded IP headers without verifying that they came from a trusted proxy, which let unauthenticated attackers vary those headers and evade per-IP rate limits and IP bans. The practical risk is increased exposure of public Fleet deployments to brute-force login and credential-stuffing attempts, especially whe [truncated]

MEDIUM Fleetdm CVE published 2026-05-14

CVE-2026-26191

CVE-2026-26191 is a Fleet device-management vulnerability in the software installer pipeline. If a crafted software package is uploaded and later uninstalled, unsanitized metadata from that package can be inserted into auto-generated uninstall scripts. When those scripts run on managed endpoints, an attacker could trigger unintended command execution with elevated privileges: root on macOS/Linux or SYSTEM [truncated]

HIGH fleetdm CVE published 2026-05-14

CVE-2026-24899

Fleet's Windows MDM enrollment flow prior to version 4.82.0 fails to validate JWT audience (`aud`) and issuer (`iss`) claims when verifying Azure AD authentication tokens. The application uses Microsoft's multi-tenant JWKS endpoint for signature validation but accepts tokens from any Azure AD tenant, not just the configured tenant. An attacker with access to any valid Azure AD tenant can obtain a Microsof [truncated]