Skip to main content

Fleet MDM CVE-2026-24899

| EUVDEUVD-2026-30374 HIGH
Authentication Bypass by Spoofing (CWE-290)
2026-05-14 https://github.com/fleetdm/fleet GHSA-ffg9-j72f-j6xm
8.2
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.2 HIGH
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Patch available
May 14, 2026 - 21:32 EUVD
Analysis Updated
May 14, 2026 - 20:30 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 14, 2026 - 20:22 vuln.today
cvss_changed
CVSS changed
May 14, 2026 - 20:22 NVD
8.2 (HIGH)
Source Code Evidence Fetched
May 14, 2026 - 13:46 vuln.today
Analysis Generated
May 14, 2026 - 13:46 vuln.today
CVE Published
May 14, 2026 - 13:13 nvd
HIGH

DescriptionGitHub Advisory

Summary

A vulnerability in Fleet's Windows MDM enrollment flow allows authentication tokens from any Azure AD tenant to be accepted. Because Fleet validates JWT signatures using Microsoft's multi-tenant JWKS endpoint but does not enforce the aud (audience) or iss (issuer) claims, any Microsoft-signed Azure AD access token containing the expected scopes can be used to authenticate to Fleet's MDM endpoints.

Impact

If Windows MDM is enabled, an attacker with access to any Azure AD tenant can obtain a valid Microsoft-signed token and use it to enroll unauthorized devices and interact with Fleet's MDM management APIs. During device management, Fleet may expose sensitive enrollment secrets embedded in MDM command payloads, enabling further unauthorized access.

Workarounds

If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM.

For more information

If you have any questions or comments about this advisory: Email us at [security@fleetdm.com](mailto:security@fleetdm.com) Join #fleet in osquery Slack

Credits

We thank @zaddy6 for responsibly reporting this issue.

AnalysisAI

JWT authentication bypass in Fleet's Windows MDM enrollment allows attackers with access to any Azure AD tenant to enroll unauthorized devices and access management APIs. Fleet validates JWT signatures using Microsoft's multi-tenant JWKS endpoint but fails to verify 'aud' (audience) or 'iss' (issuer) claims, accepting any Microsoft-signed token with the expected scopes. This enables unauthorized device enrollment and potential exposure of enrollment secrets embedded in MDM payloads. Vendor-released patch available in Fleet v4.82.0 (March 2026). No evidence of active exploitation (not in CISA KEV) at time of analysis, though the vulnerability was responsibly disclosed by security researcher @zaddy6.

Technical ContextAI

This vulnerability affects Fleet's Windows Mobile Device Management (MDM) implementation, specifically the Azure Active Directory (AAD) JWT token validation logic. Fleet uses Microsoft's multi-tenant JSON Web Key Set (JWKS) endpoint to verify cryptographic signatures on Azure AD access tokens. The flaw is a CWE-290 (Authentication Bypass by Spoofing) where Fleet validates that tokens are cryptographically signed by Microsoft but fails to enforce standard OAuth2/OIDC security controls-specifically the 'aud' (audience) and 'iss' (issuer) JWT claims. The 'aud' claim should restrict tokens to Fleet's specific tenant/application ID, while 'iss' identifies the authorizing tenant. Without these checks, any valid Azure AD token from any tenant worldwide can authenticate if it contains the expected OAuth scopes. The affected package is the Go module github.com/fleetdm/fleet/v4 in versions prior to 4.82.0, where the Windows MDM enrollment flow processes these tokens.

RemediationAI

Upgrade to Fleet v4.82.0 or later, released March 11, 2026, which implements proper validation of 'aud' and 'iss' JWT claims in the Windows MDM authentication flow. Release notes and download available at https://github.com/fleetdm/fleet/releases/tag/fleet-v4.82.0. If immediate upgrade is not feasible, temporarily disable Windows MDM functionality in Fleet configuration as an interim mitigation-this prevents exploitation but eliminates Windows device management capabilities until upgrade can be completed. No evidence that disabling Windows MDM impacts macOS/iOS/Linux MDM features or core Fleet functionality. Organizations should audit MDM enrollment logs for unexpected device registrations from unfamiliar Azure AD tenants, review enrolled device inventory for unauthorized entries, and rotate any enrollment secrets that may have been exposed through MDM command payloads. After upgrading, verify that only tokens from your organization's Azure AD tenant are accepted by testing enrollment with tokens from external tenants (should fail post-patch). Full technical details and vendor contact information available in the GitHub advisory at https://github.com/fleetdm/fleet/security/advisories/GHSA-ffg9-j72f-j6xm or by emailing security@fleetdm.com.

Share

CVE-2026-24899 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy