IP Address Spoofing Vulnerability in Fleet Device Management Software by FleetDM
CVE-2026-24000

6.9MEDIUM

Key Information:

Vendor: Fleetdm
Status: Fleet
Vendor: CVE Published:; 14 May 2026

What is CVE-2026-24000?

Fleet, an open-source device management software, has a vulnerability that allows both authenticated and unauthenticated users to spoof their apparent IP address by manipulating HTTP headers like X-Forwarded-For, X-Real-IP, and True-Client-IP. This trust in client-supplied IP address headers without adequate validation enables attackers to bypass per-IP rate limiting controls, potentially enhancing the success of brute-force and password-spraying attacks on authentication endpoints. While this vulnerability does not directly lead to authentication bypass, privilege escalation, data exposure, or remote code execution, it represents a significant risk to the integrity of rate limiting mechanisms. Fleet version 4.80.1 addresses this issue, and it is recommended to run Fleet behind a trusted reverse proxy or load balancer to mitigate the risk.

Affected Version(s)

fleet < 4.80.1

References

https://github.com/fleetdm/fleet/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/fleetdm/fleet/releases/tag/fleet-v4.80.1

x_refsource_MISC

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
Jan 19, 2026

CVE-2026-24000 Data

JSON

Fleetdm

What is CVE-2026-24000?

Affected Version(s)

References

CVSS V4

Timeline