Vulnerability Description
Fleet is open source device management software. In versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, a vulnerability in Fleet's Windows MDM enrollment flow could allow an attacker to submit forged authentication tokens that are not properly validated. Because JWT signatures were not verified, Fleet could accept attacker-controlled identity claims, enabling enrollment of unauthorized devices under arbitrary Azure AD user identities. Versions 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 fix the issue. If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Fleetdm | Fleet | < 4.53.3 |
Related Weaknesses (CWE)
References
- https://github.com/fleetdm/fleet/commit/e225ef57912c8f4ac8977e24b5ebe1d9fd875257Patch
- https://github.com/fleetdm/fleet/security/advisories/GHSA-63m5-974w-448vVendor Advisory
FAQ
What is CVE-2026-23518?
CVE-2026-23518 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Fleet is open source device management software. In versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, a vulnerability in Fleet's Windows MDM enrollment flow could allow an attacker to subm...
How severe is CVE-2026-23518?
CVE-2026-23518 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-23518?
Check the references section above for vendor advisories and patch information. Affected products include: Fleetdm Fleet.