Unauthenticated DoS Vulnerability in Fleet Device Management Software
CVE-2026-26061

8.7HIGH

Key Information:

Vendor: Fleetdm
Status: Fleet
Vendor: CVE Published:; 27 March 2026

What is CVE-2026-26061?

The Fleet device management software, prior to version 4.81.0, includes multiple unauthenticated HTTP endpoints that process request bodies without a defined size limit. This design oversight can be exploited by attackers who send large or repeated HTTP requests, leading to excessive memory consumption and ultimately causing a denial-of-service (DoS) condition. To mitigate this vulnerability, users are encouraged to upgrade to version 4.81.0 or later, where the issue has been addressed.

Affected Version(s)

fleet < 4.81.0

References

https://github.com/fleetdm/fleet/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 27, 2026
Vulnerability Reserved
Feb 10, 2026

CVE-2026-26061 Data

JSON

Fleetdm

What is CVE-2026-26061?

Affected Version(s)

References

CVSS V4

Timeline