Skip to main content

Fleet CVE-2026-46356

| EUVDEUVD-2026-30416 MEDIUM
Authentication Bypass by Spoofing (CWE-290)
2026-05-14 https://github.com/fleetdm/fleet GHSA-mxmp-wr3w-rvqx
6.9
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Patch available
May 14, 2026 - 21:32 EUVD
CVSS changed
May 14, 2026 - 20:22 NVD
6.9 (MEDIUM)
Source Code Evidence Fetched
May 14, 2026 - 14:03 vuln.today
Analysis Generated
May 14, 2026 - 14:03 vuln.today
CVE Published
May 14, 2026 - 13:18 nvd
MEDIUM

DescriptionGitHub Advisory

Summary

A vulnerability in Fleet's IP extraction logic allows unauthenticated attackers to bypass API rate limiting by spoofing client IP headers. This may allow brute-force login attempts or other abuse against Fleet instances exposed to the public internet.

Impact

Fleet extracted client IP addresses from request headers (True-Client-IP, X-Real-IP, X-Forwarded-For) without validating that those headers originate from a trusted proxy. The extracted IP is used as the key for rate limiting and IP ban decisions.

As a result, an attacker could rotate the value of these headers on each request, causing Fleet to treat each attempt as coming from a different client. This effectively bypasses per-IP rate limits on sensitive endpoints such as the login API, enabling unrestricted brute-force or credential stuffing attacks.

This issue primarily affects Fleet instances that are directly exposed to the internet without a reverse proxy that overwrites forwarded-IP headers. Instances behind a properly configured proxy or WAF are less affected.

Workarounds

If an immediate upgrade is not possible, administrators should ensure Fleet is deployed behind a reverse proxy (e.g., nginx, Cloudflare, AWS ALB) that overwrites X-Forwarded-For with the true client IP, and apply rate limiting at the proxy or WAF layer.

For more information

If you have any questions or comments about this advisory: Email us at [security@fleetdm.com](mailto:security@fleetdm.com) Join #fleet in osquery Slack

Credits

We thank @fuzzztf for responsibly reporting this issue.

AnalysisAI

Fleet instances fail to validate the origin of client IP headers (True-Client-IP, X-Real-IP, X-Forwarded-For) before using them for API rate limiting, allowing unauthenticated attackers to bypass per-IP brute-force protections on sensitive endpoints such as login by rotating header values across requests. This vulnerability primarily affects Fleet deployments directly exposed to the internet without a reverse proxy that overwrites forwarded headers; instances behind properly configured proxies or WAFs have reduced exposure.

Technical ContextAI

Fleet's authentication and rate-limiting system extracts client IP addresses from HTTP request headers commonly set by reverse proxies (True-Client-IP, X-Real-IP, X-Forwarded-For) to enforce per-IP rate limits and IP-based blocking policies. The vulnerability stems from a failure to implement trusted proxy validation (CWE-290: Improper Input Validation), a common architectural flaw where client-controlled or untrusted headers are treated as authoritative without verification that they originated from a legitimate, pre-configured reverse proxy. The CPE pkg:go/github.com_fleetdm_fleet identifies the Go-based Fleet application as the affected product. Deployments behind a reverse proxy that overwrites these headers with the actual connecting client IP before Fleet receives the request, or deployments on closed networks, are not vulnerable because the attacker cannot control the header values that Fleet observes.

RemediationAI

Upgrade Fleet to version 4.80.1 or later immediately; this version includes the FLEET_SERVER_TRUSTED_PROXIES configuration, which implements proper trusted proxy validation. For organizations unable to upgrade immediately, deploy Fleet behind a reverse proxy (nginx, Cloudflare, AWS ALB, or similar WAF/proxy) that is configured to overwrite the X-Forwarded-For header with the actual client IP address before passing the request to Fleet, and apply rate limiting and IP-based access controls at the proxy or WAF layer rather than relying on Fleet's internal rate limiting. This workaround incurs operational overhead (proxy management and configuration verification) and defers rate-limit enforcement to infrastructure components rather than the application. Additionally, restrict direct internet access to Fleet to authorized networks when possible, requiring users to access Fleet through a VPN or corporate network that enforces proper proxy behavior. The release notes reference https://github.com/fleetdm/fleet/releases/tag/fleet-v4.80.1 and the advisory at https://github.com/fleetdm/fleet/security/advisories/GHSA-mxmp-wr3w-rvqx for remediation details.

More in Nginx

View all
CVE-2013-2028 HIGH POC
7.5 Jul 20

The ngx_http_parse_chunked function in http/ngx_http_parse.c in nginx 1.3.9 through 1.4.0 allows remote attackers to cau

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2013-4547 HIGH POC
7.5 Nov 23

nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescap

CVE-2023-50919 CRITICAL POC
9.8 Jan 12

An issue was discovered on GL.iNet devices before version 4.5.0. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2017-7529 HIGH
7.5 Jul 13

Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range fi

CVE-2016-0742 HIGH
7.5 Feb 15

The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 allows remote attackers to cause a denial of service (invalid

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2022-31137 CRITICAL POC
9.8 Jul 08

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Rated critical severity (CVSS 9.8

CVE-2014-3556 MEDIUM
6.8 Dec 29

The STARTTLS implementation in mail/ngx_mail_smtp_handler.c in the SMTP proxy in nginx 1.5.x and 1.6.x before 1.6.1 and

CVE-2026-42945 CRITICAL POC
9.2 May 13

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows remote attackers to crash worker

Share

CVE-2026-46356 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy