What is the CVSS score of CVE-2026-23517?

CVE-2026-23517 has a CVSS 3.1 base score of 8.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H. EPSS exploitation probability: 0.0%.

Which versions of Industrial are affected by CVE-2026-23517?

Organizations using versions face notable risk from CVE-2026-23517, a missing authorization vulnerability rated CVSS 8.1.. A patch is available.

Industrial CVE-2026-23517

HIGH

Missing Authorization (CWE-862)

2026-01-21 security-advisories@github.com

GHSA-4r5r-ccr6-q6f6

Denial Of Service Industrial Fleet Suse

8.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

Patch released

Feb 27, 2026 - 16:16 nvd

Patch available

CVE Published

Jan 21, 2026 - 22:15 nvd

HIGH 8.1

DescriptionNVD

Fleet is open source device management software. A broken access control issue in versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 allowed authenticated users to access debug and profiling endpoints regardless of role. As a result, low-privilege users could view internal server diagnostics and trigger resource-intensive profiling operations. Fleet’s debug/pprof endpoints are accessible to any authenticated user regardless of role, including the lowest-privilege “Observer” role. This allows low-privilege users to access sensitive server internals, including runtime profiling data and in-memory application state, and to trigger CPU-intensive profiling operations that could lead to denial of service. Versions 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 fix the issue. If an immediate upgrade is not possible, users should put the debug/pprof endpoints behind an IP allowlist as a workaround.

AnalysisAI

Fleet device management software versions prior to 4.78.3 suffer from broken access control that permits any authenticated user, including low-privilege observers, to access debug and profiling endpoints. Attackers can leverage this vulnerability to extract sensitive server diagnostics, runtime profiling data, and application state, or trigger CPU-intensive operations resulting in denial of service. …

RemediationAI

Within 7 days: Identify all affected systems running versions and apply vendor patches promptly. Vendor patch is available.

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

More from same product – last 7 days

CVE-2026-9256 HIGH This Week

8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers

Vendor StatusVendor

CVE-2026-23517 vulnerability details – vuln.today

Back