Access Control Flaw in Fleet Open Source Device Management Software
CVE-2026-23517

6.3MEDIUM

Key Information:

Vendor: Fleetdm
Status: Fleet
Vendor: CVE Published:; 21 January 2026

What is CVE-2026-23517?

Fleet, the open-source device management software, has a security flaw related to broken access control. This vulnerability affects multiple versions, allowing authenticated users, even those with low privileges such as the 'Observer' role, to access sensitive debugging and profiling endpoints. As a result, these users can view internal server diagnostics and initiate CPU-intensive profiling operations, potentially leading to service denial. The issue has been addressed in versions 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3. For immediate protection, users are advised to restrict access to debug/pprof endpoints through an IP allowlist while ensuring timely upgrades.

Affected Version(s)

fleet >= 4.78.0, < 4.78.3 < 4.78.0, 4.78.3

fleet >= 4.77.0, < 4.77.1 < 4.77.0, 4.77.1

fleet >= 4.76.0, < 4.76.2 < 4.76.0, 4.76.2

References

https://github.com/fleetdm/fleet/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/fleetdm/fleet/commit/5c030e32a3a9bc512...

x_refsource_MISC

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 21, 2026
Vulnerability Reserved
Jan 13, 2026

CVE-2026-23517 Data

JSON

Fleetdm

What is CVE-2026-23517?

Affected Version(s)

References

CVSS V4

Timeline