Device Management Software Vulnerability in Fleet by FleetDM
CVE-2026-23518

9.3CRITICAL

Key Information:

Vendor: Fleetdm
Status: Fleet
Vendor: CVE Published:; 21 January 2026

What is CVE-2026-23518?

Fleet, an open-source device management software, has a significant vulnerability in its Windows MDM enrollment process. This flaw, present in multiple earlier versions, allows attackers to generate and submit forged authentication tokens without proper validation. The lack of verification for JWT signatures means that an attacker can create identity claims that are accepted by the system, permitting unauthorized device enrollment under arbitrary Azure Active Directory user identities. It is crucial for users of affected versions to upgrade to the patched releases or temporarily disable Windows MDM until an upgrade can be performed.

Affected Version(s)

fleet >= 4.78.0, < 4.78.3 < 4.78.0, 4.78.3

fleet >= 4.77.0, < 4.77.1 < 4.77.0, 4.77.1

fleet >= 4.76.0, < 4.76.2 < 4.76.0, 4.76.2

References

https://github.com/fleetdm/fleet/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/fleetdm/fleet/commit/e225ef57912c8f4ac...

x_refsource_MISC

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 21, 2026
Vulnerability Reserved
Jan 13, 2026

CVE-2026-23518 Data

JSON

Fleetdm

What is CVE-2026-23518?

Affected Version(s)

References

CVSS V4

Timeline