Vulnerability in Fleet Open Source Device Management Software Exposes Google Calendar Credentials
CVE-2026-27465

1.3LOW

Key Information:

Vendor: Fleetdm
Status: Fleet
Vendor: CVE Published:; 26 February 2026

What is CVE-2026-27465?

A vulnerability in Fleet's configuration API could expose Google Calendar service account credentials to authenticated users with low-privilege roles in versions prior to 4.80.1. This issue allows low-privilege users to access sensitive Google Calendar resources associated with the service account due to insufficient obfuscation of credentials. If exploited, this could lead to unauthorized access to calendar data and other Google Workspace resources. The vulnerability does not allow for privilege escalation within Fleet nor grant access to device management features. Immediate remediation includes upgrading to version 4.80.1 or removing the Google Calendar integration and rotating the affected service account credentials as interim solutions.

Affected Version(s)

fleet < 4.80.1

References

https://github.com/fleetdm/fleet/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V4

Score:

1.3

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 26, 2026
Vulnerability Reserved
Feb 19, 2026

CVE-2026-27465 Data

JSON

Fleetdm

What is CVE-2026-27465?

Affected Version(s)

References

CVSS V4

Timeline