Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionGitHub Advisory
Impact
Fleet trusted client-supplied IP address headers when determining the source IP for incoming requests. This allowed authenticated and unauthenticated clients to spoof their apparent IP address and bypass per-IP rate limiting controls.
Fleet determines a client’s public IP address using HTTP headers such as:
- X-Forwarded-For
- X-Real-IP
- True-Client-IP
These headers were trusted without validation. An attacker could supply arbitrary values in these headers, causing Fleet to treat each request as originating from a different IP address.
This could allow an attacker to bypass per-IP rate limits and increase the effectiveness of brute-force or password-spraying attempts against authentication endpoints.
This issue does not allow authentication bypass, privilege escalation, data exposure, or remote code execution on its own.
Workarounds
Run Fleet behind a trusted reverse proxy or load balancer that overwrites client IP headers.
For more information
If you have any questions or comments about this advisory:
Email us at [security@fleetdm.com](mailto:security@fleetdm.com) Join #fleet in osquery Slack
Credits
We thank @fuzzztf for responsibly reporting this issue.
AnalysisAI
Fleet trusts untrusted client-supplied IP address headers (X-Forwarded-For, X-Real-IP, True-Client-IP) when determining source IP for incoming requests, allowing both authenticated and unauthenticated attackers to spoof their apparent IP address and bypass per-IP rate limiting controls. This enables brute-force and password-spraying attacks against authentication endpoints to scale without triggering rate-limit protections, though the vulnerability does not itself enable authentication bypass, privilege escalation, data exposure, or remote code execution.
Technical ContextAI
Fleet is an open-source device management and osquery orchestration platform written in Go. The vulnerability exists in the HTTP request handling layer where the application extracts client IP addresses from standard proxy headers without validating their authenticity or origin. The affected code relies on headers such as X-Forwarded-For, X-Real-IP, and True-Client-IP - headers commonly set by reverse proxies and load balancers to preserve the original client IP through intermediaries. However, when Fleet receives requests directly or from untrusted networks, malicious actors can inject arbitrary values into these headers, and the application will accept them as the legitimate source IP. This violates the principle of trusting only headers set by infrastructure under the application's control. The root cause is classified as CWE-290 (Authentication using Password with Weak Encryption), though more accurately this is an IP spoofing vulnerability (improper validation of IP header sources). The per-IP rate limiting mechanism likely relies on comparing request source IPs to determine throttle state, so when the IP is spoofed with each request, the attacker effectively bypasses the rate limit entirely.
RemediationAI
Upgrade Fleet immediately to version 4.80.1 or later. The release notes confirm this version contains the fix. In the interim, if upgrading is not immediately possible, deploy Fleet behind a trusted reverse proxy or load balancer that is explicitly configured to overwrite client IP headers before they reach Fleet, preventing malicious header injection. This workaround requires that the reverse proxy be under your control and that you configure it to strip or rewrite X-Forwarded-For, X-Real-IP, and True-Client-IP headers with values it calculates from the actual client connection. Additionally, the advisory mentions a new FLEET_SERVER_TRUSTED_PROXIES configuration option added in v4.80.1; this allows you to specify which proxies are trusted, further hardening the deployment. Ensure rate limiting is enforced at the reverse proxy or load balancer layer in addition to the application layer.
Same weakness CWE-290 – Authentication Bypass by Spoofing
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30373
GHSA-j8h8-75h3-jg53