Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
Summary
A vulnerability in Fleet’s password management logic could allow previously issued password reset tokens to remain valid after a user changes their password. As a result, a stale password reset token could be reused to reset the account password even after a defensive password change.
Impact
If an attacker had prior access to a valid password reset token, they could reuse that token within its validity window to reset the user’s password after the user has already changed it. This could result in temporary account takeover.
Exploitation requires prior compromise of a password reset token and is further constrained by the token’s 24-hour expiration period. The issue does not allow discovery of reset tokens, does not bypass authentication on its own, and does not affect accounts without an existing valid reset token.
Workarounds
Until patched, users who believe a password reset token may have been exposed should wait for the token to expire before reusing the account, or contact a Fleet administrator to invalidate active sessions.
For more information
If there are any questions or comments about this advisory:
Email Fleet at [security@fleetdm.com](mailto:security@fleetdm.com) Join #fleet in osquery Slack
Credits
Fleet thanks @fuzzztf for responsibly reporting this issue.
AnalysisAI
Fleet's password reset token invalidation logic fails to revoke previously issued tokens when a user changes their password, allowing attackers with a captured token to perform account takeover by resetting the password again within the token's 24-hour validity window. The vulnerability affects Fleet versions distributed via the Go package github.com/fleetdm/fleet/v4 and requires prior compromise of a valid password reset token to exploit, limiting real-world impact to scenarios where token interception has already occurred.
Technical ContextAI
The vulnerability stems from improper session management in Fleet's password reset token handling, classified under CWE-613 (Insufficient Session Expiration). When a user initiates a password reset, Fleet generates a time-limited token typically valid for 24 hours; however, the token validation logic does not invalidate previously issued tokens upon password change. This allows a stale token-one issued before the user changed their password-to remain functional and be replayed to reset the account again. The affected product is the Go package pkg:go/github.com_fleetdm_fleet_v4, which is Fleet's core osquery management server. The root cause is a session token lifecycle management failure where token revocation is not triggered by password change events, violating the principle of invalidating all active authentication credentials when account access is modified.
RemediationAI
Upgrade Fleet to the patched version released by the vendor; consult the GitHub security advisory at https://github.com/fleetdm/fleet/security/advisories/GHSA-3458-r943-hmx4 for the specific version number and installation instructions. As an immediate workaround pending patch deployment, users concerned about password reset token exposure should contact their Fleet administrator to invalidate all active sessions, or wait for the token's 24-hour expiration period to elapse before reusing the account. Additionally, implement monitoring and alerting on password change events to detect suspicious reset token reuse patterns, and enforce strong password policies to reduce the window of opportunity if an attacker gains temporary account access.
Same weakness CWE-613 – Insufficient Session Expiration
View allSame technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16742
GHSA-3458-r943-hmx4