Denial-of-Service Vulnerability in Fleet Management Software by FleetDM
CVE-2026-26062

8.7HIGH

Key Information:

Vendor: Fleetdm
Status: Fleet
Vendor: CVE Published:; 14 May 2026

What is CVE-2026-26062?

Fleet, the open-source device management software, exhibits a vulnerability in the gRPC Launcher 'PublishLogs' endpoint prior to version 4.81.0. This DoS issue arises when certain unexpected input values are processed, potentially causing the Fleet server process to terminate upon receiving an authenticated request from a compromised Launcher host. An attacker with access to an enrolled Launcher node key can exploit this by sending a single gRPC request, effectively leading to an immediate denial of service. While this vulnerability solely impacts service availability, it can result in significant operational disruptions. Users are encouraged to upgrade to version 4.81.0 or implement mitigative measures, such as restricting network access to the gRPC endpoint and monitoring for abnormal process behavior.

Affected Version(s)

fleet < 4.81.0

References

https://github.com/fleetdm/fleet/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/fleetdm/fleet/releases/tag/fleet-v4.81.0

x_refsource_MISC

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
Feb 10, 2026

CVE-2026-26062 Data

JSON

Fleetdm

What is CVE-2026-26062?

Affected Version(s)

References

CVSS V4

Timeline