Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionGitHub Advisory
Summary
A vulnerability in Fleet's IP extraction logic allows unauthenticated attackers to bypass API rate limiting by spoofing client IP headers. This may allow brute-force login attempts or other abuse against Fleet instances exposed to the public internet.
Impact
Fleet extracted client IP addresses from request headers (True-Client-IP, X-Real-IP, X-Forwarded-For) without validating that those headers originate from a trusted proxy. The extracted IP is used as the key for rate limiting and IP ban decisions.
As a result, an attacker could rotate the value of these headers on each request, causing Fleet to treat each attempt as coming from a different client. This effectively bypasses per-IP rate limits on sensitive endpoints such as the login API, enabling unrestricted brute-force or credential stuffing attacks.
This issue primarily affects Fleet instances that are directly exposed to the internet without a reverse proxy that overwrites forwarded-IP headers. Instances behind a properly configured proxy or WAF are less affected.
Workarounds
If an immediate upgrade is not possible, administrators should ensure Fleet is deployed behind a reverse proxy (e.g., nginx, Cloudflare, AWS ALB) that overwrites X-Forwarded-For with the true client IP, and apply rate limiting at the proxy or WAF layer.
For more information
If you have any questions or comments about this advisory: Email us at [security@fleetdm.com](mailto:security@fleetdm.com) Join #fleet in osquery Slack
Credits
We thank @fuzzztf for responsibly reporting this issue.
AnalysisAI
Fleet instances fail to validate the origin of client IP headers (True-Client-IP, X-Real-IP, X-Forwarded-For) before using them for API rate limiting, allowing unauthenticated attackers to bypass per-IP brute-force protections on sensitive endpoints such as login by rotating header values across requests. This vulnerability primarily affects Fleet deployments directly exposed to the internet without a reverse proxy that overwrites forwarded headers; instances behind properly configured proxies or WAFs have reduced exposure.
Technical ContextAI
Fleet's authentication and rate-limiting system extracts client IP addresses from HTTP request headers commonly set by reverse proxies (True-Client-IP, X-Real-IP, X-Forwarded-For) to enforce per-IP rate limits and IP-based blocking policies. The vulnerability stems from a failure to implement trusted proxy validation (CWE-290: Improper Input Validation), a common architectural flaw where client-controlled or untrusted headers are treated as authoritative without verification that they originated from a legitimate, pre-configured reverse proxy. The CPE pkg:go/github.com_fleetdm_fleet identifies the Go-based Fleet application as the affected product. Deployments behind a reverse proxy that overwrites these headers with the actual connecting client IP before Fleet receives the request, or deployments on closed networks, are not vulnerable because the attacker cannot control the header values that Fleet observes.
RemediationAI
Upgrade Fleet to version 4.80.1 or later immediately; this version includes the FLEET_SERVER_TRUSTED_PROXIES configuration, which implements proper trusted proxy validation. For organizations unable to upgrade immediately, deploy Fleet behind a reverse proxy (nginx, Cloudflare, AWS ALB, or similar WAF/proxy) that is configured to overwrite the X-Forwarded-For header with the actual client IP address before passing the request to Fleet, and apply rate limiting and IP-based access controls at the proxy or WAF layer rather than relying on Fleet's internal rate limiting. This workaround incurs operational overhead (proxy management and configuration verification) and defers rate-limit enforcement to infrastructure components rather than the application. Additionally, restrict direct internet access to Fleet to authorized networks when possible, requiring users to access Fleet through a VPN or corporate network that enforces proper proxy behavior. The release notes reference https://github.com/fleetdm/fleet/releases/tag/fleet-v4.80.1 and the advisory at https://github.com/fleetdm/fleet/security/advisories/GHSA-mxmp-wr3w-rvqx for remediation details.
The ngx_http_parse_chunked function in http/ngx_http_parse.c in nginx 1.3.9 through 1.4.0 allows remote attackers to cau
A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access
nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescap
An issue was discovered on GL.iNet devices before version 4.5.0. Rated critical severity (CVSS 9.8), this vulnerability
Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range fi
The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 allows remote attackers to cause a denial of service (invalid
Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Rated critical severity (CVSS 9.8
The STARTTLS implementation in mail/ngx_mail_smtp_handler.c in the SMTP proxy in nginx 1.5.x and 1.6.x before 1.6.1 and
Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows remote attackers to crash worker
Same weakness CWE-290 – Authentication Bypass by Spoofing
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30416
GHSA-mxmp-wr3w-rvqx