Which versions of Fleet MDM are affected by CVE-2026-24899?

Fleet MDM's JWT validation bypass allows attackers with access to any Azure AD tenant to enroll unauthorized devices and access Fleet management APIs, potentially compromising device inventory and…. A patch is available.

How to fix or mitigate CVE-2026-24899?

Within 24 hours: Audit Azure AD tenants with access to Fleet enrollment endpoints and review device enrollment logs for anomalies. Within 7 days: Upgrade Fleet to version 4.82.0 or later. Within 30 days: Implement network-level segmentation restricting MDM enrollment endpoints to trusted Azure AD directories and conduct forensic review of all enrollments since vulnerability discovery to identify unauthorized devices.

Fleet MDM CVE-2026-24899

Q: What is the CVSS score of CVE-2026-24899?

CVE-2026-24899 has a CVSS 4.0 base score of 8.2 (High). CVSS vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

EUVD-2026-30374 HIGH

Authentication Bypass by Spoofing (CWE-290)

2026-05-14 https://github.com/fleetdm/fleet

GHSA-ffg9-j72f-j6xm

Authentication Bypass Microsoft

8.2

CVSS 4.0

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Patch available

May 14, 2026 - 21:32 EUVD

Analysis Updated

May 14, 2026 - 20:30 vuln.today

v2 (cvss_changed)

Re-analysis Queued

May 14, 2026 - 20:22 vuln.today

cvss_changed

CVSS changed

May 14, 2026 - 20:22 NVD

8.2 (HIGH)

Source Code Evidence Fetched

May 14, 2026 - 13:46 vuln.today

Analysis Generated

May 14, 2026 - 13:46 vuln.today

CVE Published

May 14, 2026 - 13:13 nvd

HIGH

DescriptionNVD

Summary

A vulnerability in Fleet's Windows MDM enrollment flow allows authentication tokens from any Azure AD tenant to be accepted. Because Fleet validates JWT signatures using Microsoft's multi-tenant JWKS endpoint but does not enforce the aud (audience) or iss (issuer) claims, any Microsoft-signed Azure AD access token containing the expected scopes can be used to authenticate to Fleet's MDM endpoints.

Impact

If Windows MDM is enabled, an attacker with access to any Azure AD tenant can obtain a valid Microsoft-signed token and use it to enroll unauthorized devices and interact with Fleet's MDM management APIs. During device management, Fleet may expose sensitive enrollment secrets embedded in MDM command payloads, enabling further unauthorized access.

Workarounds

If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM.

For more information

If you have any questions or comments about this advisory: Email us at [security@fleetdm.com](mailto:security@fleetdm.com) Join #fleet in osquery Slack

Credits

We thank @zaddy6 for responsibly reporting this issue.

AnalysisAI

JWT authentication bypass in Fleet's Windows MDM enrollment allows attackers with access to any Azure AD tenant to enroll unauthorized devices and access management APIs. Fleet validates JWT signatures using Microsoft's multi-tenant JWKS endpoint but fails to verify 'aud' (audience) or 'iss' (issuer) claims, accepting any Microsoft-signed token with the expected scopes. …

RemediationAI

Within 24 hours: Audit Azure AD tenants with access to Fleet enrollment endpoints and review device enrollment logs for anomalies. Within 7 days: Upgrade Fleet to version 4.82.0 or later. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory