CVE-2026-23518CRITICAL 9.8EPSS p13.1%

CVE-2026-23518CVE-2026-23518

Description

Fleet is open source device management software. In versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, a vulnerability in Fleet's Windows MDM enrollment flow could allow an attacker to submit forged authentication tokens that are not properly validated. Because JWT signatures were not verified, Fleet could accept attacker-controlled identity claims, enabling enrollment of unauthorized devices under arbitrary Azure AD user identities. Versions 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 fix the issue. If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.23% probability of exploitation · percentile 13.1% · 2026-06-19T12:03:05Z
Published2026-01-21
Last modified2026-02-27

Underlying weaknesses· 1

CWE-347

References

  1. https://github.com/fleetdm/fleet/commit/e225ef57912c8f4ac8977e24b5ebe1d9fd875257
  2. https://github.com/fleetdm/fleet/security/advisories/GHSA-63m5-974w-448v

1

TypeTargetConfidenceTier
WeaknessImproper Verification of Cryptographic Signaturecwe-3470%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-26060
CVE
CVE-2026-34385
CVE
CVE-2026-34386
CVE
CVE-2026-29180
CVE
CVE-2026-34387
CVE
CVE-2026-26191
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.