Vulnerability in Fleet Device Management Software by FleetDM
CVE-2026-46356

6.9MEDIUM

Key Information:

Vendor: Fleetdm
Status: Fleet
Vendor: CVE Published:; 14 May 2026

What is CVE-2026-46356?

Fleet, an open-source device management platform, has a vulnerability in its IP extraction mechanism that enables unauthenticated attackers to bypass API rate limiting. This occurs due to the software's failure to validate the origins of client IP headers like True-Client-IP, X-Real-IP, and X-Forwarded-For. As a result, malicious actors can spoof these headers, making Fleet's system perceive multiple requests as coming from distinct clients. Consequently, this oversight can lead to unrestricted brute-force login attempts against publicly exposed Fleet instances. It is crucial for users to upgrade to version 4.80.1, which addresses this issue, or ensure their deployments are secured behind reliable reverse proxies, such as nginx or AWS ALB, that appropriately manage IP header overwrites.

Affected Version(s)

fleet < 4.80.1

References

https://github.com/fleetdm/fleet/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/fleetdm/fleet/releases/tag/fleet-v4.80.1

x_refsource_MISC

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
May 13, 2026

CVE-2026-46356 Data

JSON

Fleetdm

What is CVE-2026-46356?

Affected Version(s)

References

CVSS V4

Timeline