Skip to main content

Fleet CVE-2022-24841

HIGH
Improper Access Control (CWE-284)
2022-04-18 security-advisories@github.com
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
CVE Published
Apr 18, 2022 - 22:15 nvd
HIGH 8.1

DescriptionNVD

fleetdm/fleet is an open source device management, built on osquery. All versions of fleet making use of the teams feature are affected by this authorization bypass issue. Fleet instances without teams, or with teams but without restricted team accounts are not affected. In affected versions a team admin can erroneously add themselves as admin, maintainer or observer on other teams. Users are advised to upgrade to version 4.13. There are no known workarounds for this issue.

AnalysisAI

fleetdm/fleet is an open source device management, built on osquery. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity.

Technical ContextAI

This vulnerability is classified under CWE-284. fleetdm/fleet is an open source device management, built on osquery. All versions of fleet making use of the teams feature are affected by this authorization bypass issue. Fleet instances without teams, or with teams but without restricted team accounts are not affected. In affected versions a team admin can erroneously add themselves as admin, maintainer or observer on other teams. Users are advised to upgrade to version 4.13. There are no known workarounds for this issue. Affected products include: Fleetdm Fleet. Version information: version 4.13..

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

More in Fleet

View all
CVE-2026-23518 CRITICAL
9.8 Jan 21

Fleet device management software has a signature verification bypass that allows attackers to install malicious firmware

CVE-2020-26276 CRITICAL
9.8 Dec 17

Fleet is an open source osquery manager. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2026-26186 HIGH
8.8 Feb 26

SQL injection in Fleet device management software before version 4.80.1 allows authenticated users to manipulate the ord

CVE-2026-23517 HIGH
8.1 Jan 21

Fleet device management software versions prior to 4.78.3 suffer from broken access control that permits any authenticat

CVE-2019-1020009 HIGH
7.5 Jul 29

Fleet before 2.1.2 allows exposure of SMTP credentials. Rated high severity (CVSS 7.5), this vulnerability is remotely e

CVE-2026-27465 MEDIUM
6.5 Feb 26

Fleet versions up to 4.80.1 contains a vulnerability that allows attackers to unauthorized access to Google Calendar res

CVE-2026-25963 MEDIUM
6.5 Feb 26

Fleet device management software versions before 4.80.1 contain an authorization bypass in the certificate template dele

CVE-2026-23999 MEDIUM
5.5 Feb 26

Fleet's device lock and wipe PIN generation relies on predictable timestamps without additional entropy, allowing attack

CVE-2026-22808 MEDIUM
5.4 Jan 21

fleetdm/fleet is open source device management software. [CVSS 5.4 MEDIUM]

CVE-2026-24004 MEDIUM
5.3 Feb 26

Fleet's Android MDM Pub/Sub endpoint fails to authenticate requests prior to version 4.80.1, allowing unauthenticated at

CVE-2021-21296 LOW
2.7 Feb 10

Fleet is an open source osquery manager. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low

Share

CVE-2022-24841 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy