Skip to main content

Suse CVE-2026-34389

| EUVDEUVD-2026-16797 MEDIUM
Improper Authentication (CWE-287)
2026-03-27 GitHub_M GHSA-4f9r-x588-pp2h
4.9
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 27, 2026 - 19:45 euvd
EUVD-2026-16797
Analysis Generated
Mar 27, 2026 - 19:45 vuln.today
CVE Published
Mar 27, 2026 - 19:18 nvd
MEDIUM 4.9

DescriptionGitHub Advisory

Fleet is open source device management software. Prior to 4.81.0, Fleet contained an issue in the user invitation flow where the email address provided during invite acceptance was not validated against the email address associated with the invite. An attacker who obtained a valid invite token could create an account under an arbitrary email address while inheriting the role granted by the invite, including global admin. Version 4.81.0 patches the issue.

AnalysisAI

Fleet device management software prior to version 4.81.0 allows privilege escalation through email validation bypass in the user invitation flow. An attacker with a valid invite token can create an account using an arbitrary email address while retaining the role permissions granted by the invite, potentially obtaining global admin access. No public exploit code or active exploitation has been identified at the time of analysis.

Technical ContextAI

The vulnerability exists in Fleet's user invitation acceptance mechanism, which fails to validate that the email address entered during account creation matches the email address associated with the original invite token. This represents an authentication and authorization control failure (CWE-287: Improper Authentication) where the application trusts user-supplied email input without cross-referencing it against the legitimate invite recipient. The vulnerability affects Fleet across all versions prior to 4.81.0, as indicated by the CPE string cpe:2.3:a:fleetdm:fleet:*:*:*:*:*:*:*:*. The root cause is insufficient input validation and email address binding during the invitation acceptance workflow, allowing an attacker to decouple the invite token from its intended recipient.

RemediationAI

Organizations must upgrade Fleet to version 4.81.0 or later, which patches the email validation bypass in the invitation acceptance workflow. The primary mitigation is to perform an immediate upgrade by deploying Fleet 4.81.0 from the official repository. For organizations unable to patch immediately, review and revoke all pending user invitations and monitor for unauthorized account creation, particularly accounts with elevated privileges. For detailed upgrade instructions and to confirm your current version, consult the Fleet repository and the security advisory at https://github.com/fleetdm/fleet/security/advisories/GHSA-4f9r-x588-pp2h. After patching, audit existing user accounts and roles to ensure no unauthorized admin accounts were created via this vulnerability.

Vendor StatusVendor

SUSE

Severity: Medium

Share

CVE-2026-34389 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy