CVE-2026-46356 High Severity in fleet Vulnerability Details & Analysis

Summary

Fleet is open source device management software. Prior to version 4.80.1, a vulnerability in Fleet's IP extraction logic allows unauthenticated attackers to bypass API rate limiting by spoofing client IP headers. This may allow brute-force login attempts or other abuse against Fleet instances exposed to the public internet. Fleet extracted client IP addresses from request headers (`True-Client-IP`, `X-Real-IP`, `X-Forwarded-For`) without validating that those headers originate from a trusted pro

Description

Fleet is open source device management software. Prior to version 4.80.1, a vulnerability in Fleet's IP extraction logic allows unauthenticated attackers to bypass API rate limiting by spoofing client IP headers. This may allow brute-force login attempts or other abuse against Fleet instances exposed to the public internet. Fleet extracted client IP addresses from request headers (`True-Client-IP`, `X-Real-IP`, `X-Forwarded-For`) without validating that those headers originate from a trusted proxy. The extracted IP is used as the key for rate limiting and IP ban decisions. As a result, an attacker could rotate the value of these headers on each request, causing Fleet to treat each attempt as coming from a different client. This effectively bypasses per-IP rate limits on sensitive endpoints such as the login API, enabling unrestricted brute-force or credential stuffing attacks. This issue primarily affects Fleet instances that are directly exposed to the internet without a reverse proxy that overwrites forwarded-IP headers. Instances behind a properly configured proxy or WAF are less affected. Version 4.80.1 contains a patch. If an immediate upgrade is not possible, administrators should ensure Fleet is deployed behind a reverse proxy (e.g., nginx, Cloudflare, AWS ALB) that overwrites `X-Forwarded-For` with the true client IP, and apply rate limiting at the proxy or WAF layer.

📊 Relative Risk Intelligence

This CVE is Moderate Risk - more severe than 69.0% of all 328,009 vulnerabilities in our database.

#101,817

Above average severity

Severity Percentile

🎯 CISA SSVC Assessment Updated: May 14, 2026

🔍 Exploitation Status

None

No known exploits

⚙️ Automatable

YES

Can be exploited automatically

💥 Technical Impact

Partial

Limited system impact

SSVC data provided by CISA

CVE ID	Severity	CVSS	EPSS	Summary	Published
CVE-2026-23998	⚠️ high	7.5	0.0	Fleet is open source device management software. Prior to version 4.81.0, a vulnerability in Fleet’s Windows MDM manag...	2026-05-14
CVE-2026-24000	🔶 medium	5.3	0.1	Fleet is open source device management software. Prior to version 4.80.1, Fleet trusted client-supplied IP address heade...	2026-05-14
CVE-2026-24899	⚠️ high	7.5	0.0	Fleet is open source device management software. Prior to version 4.82.0, a vulnerability in Fleet's Windows MDM enrollm...	2026-05-14
CVE-2026-26062	🔶 medium	6.5	0.1	Fleet is open source device management software. Prior to version 4.81.0, Fleet contained a denial-of-service (DoS) issu...	2026-05-14
CVE-2026-26191	⛔ critical	9.8	0.0	Fleet is open source device management software. Prior to version 4.81.0, a vulnerability in Fleet's software installer ...	2026-05-14
CVE-2026-27806	⚠️ high	7.8	0.0	Fleet is open source device management software. Prior to 4.81.1, the Orbit agent's FileVault disk encryption key rotati...	2026-04-08

CVE-2026-46356

Summary

Description

📊 Relative Risk Intelligence

🎯 CISA SSVC Assessment Updated: May 14, 2026

📦 Affected Products 1

🔗 References 2

🔗 Related CVEs 6