Vulnerability in Fleet Device Management Software Exposes Windows MDM Enrollment Flow
CVE-2026-24899

8.2HIGH

Key Information:

Vendor: Fleetdm
Status: Fleet
Vendor: CVE Published:; 14 May 2026

What is CVE-2026-24899?

A vulnerability in Fleet's Windows MDM enrollment flow allows any Azure AD tenant's authentication tokens to be misused. The software improperly validates JWT signatures and fails to enforce essential claims like aud and iss. This oversight could permit attackers with access to any Azure AD tenant to enroll unauthorized devices in Fleet's MDM management using valid Microsoft-signed tokens. Moreover, sensitive secrets embedded in MDM command payloads may be exposed, potentially leading to further unauthorized access. Version 4.82.0 resolves this issue, and users should consider disabling Windows MDM until an upgrade is feasible.

Affected Version(s)

fleet < 4.82.0

References

https://github.com/fleetdm/fleet/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/fleetdm/fleet/releases/tag/fleet-v4.82.0

x_refsource_MISC

CVSS V4

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
Jan 27, 2026

CVE-2026-24899 Data

JSON

Fleetdm

What is CVE-2026-24899?

Affected Version(s)

References

CVSS V4

Timeline