Skip to main content

Fleet CVE-2026-46370

MEDIUM
SQL Injection (CWE-89)
2026-06-12 https://github.com/fleetdm/fleet GHSA-vxm7-9x8v-8gm4
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

Network-accessible Fleet API endpoint exploitable with only Observer-level credentials; confidentiality is High as complete enrollment secrets are extractable, with no direct integrity or availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 12, 2026 - 21:51 vuln.today
Analysis Generated
Jun 12, 2026 - 21:51 vuln.today

DescriptionGitHub Advisory

Summary

A vulnerability in Fleet's labels host-listing endpoint allowed authenticated users with the lowest-privilege Observer role to extract host enrollment secrets (node_key, orbit_node_key) through a cursor-based binary search oracle. The endpoint accepted a user-supplied order_key parameter that was not validated against a column allowlist, permitting sort order to be driven by sensitive columns in a joined table.

Impact

The GET /api/v1/fleet/labels/{id}/hosts endpoint constructs its query using a deprecated helper that did not restrict which columns could appear in the ORDER BY clause. An attacker with Global Observer or Team Observer credentials could supply a sensitive column name (for example, h.node_key) as order_key and combine it with the cursor-based after parameter to binary-search the values of those columns one character at a time. The targeted values never appeared in the response body, but the presence or absence of results revealed each character.

The node_key and orbit_node_key values are the long-lived shared secrets used by osquery and Orbit agents to authenticate to the Fleet server. An attacker who extracted these keys could:

  • Impersonate enrolled hosts to Fleet's osquery and Orbit endpoints
  • Submit fabricated query results and host inventory data
  • Retrieve pending scripts and MDM commands queued for the host
  • Poison compliance and policy results across the Fleet deployment

Exploitation required authenticated Observer access. Fleet deployments that restrict Observer roles to fully trusted users were at lower practical risk, but the secrets exposed are high-value and long-lived.

Patches

  • v4.85.0

Workarounds

If an immediate upgrade is not possible, administrators should:

  • Restrict the Observer role to fully trusted users until the patch is applied
  • Rotate node_key and orbit_node_key for any host suspected of exposure by re-enrolling the affected hosts

For more information

If there are any questions or comments about this advisory:

Email Fleet at [security@fleetdm.com](mailto:security@fleetdm.com) Join #fleet in osquery Slack

Credits

Fleet thanks the Security Team at Palantir Technologies for responsibly reporting this issue.

AnalysisAI

{id}/hosts accepts the attacker-controlled order_key parameter without column allowlist validation, enabling character-by-character secret reconstruction without secrets ever appearing in response bodies. No public exploit has been identified at time of analysis and no CISA KEV listing was provided, but the attack is deterministic and scriptable against any Fleet deployment where Observer role is broadly granted.

Technical ContextAI

Fleet is an open-source osquery fleet management platform implemented in Go (package pkg:go/github.com/fleetdm/fleet/v4). The affected API endpoint GET /api/v1/fleet/labels/{id}/hosts builds its database query using a deprecated internal helper that appends the user-supplied order_key parameter directly into the SQL ORDER BY clause without validating it against a column allowlist - a classic CWE-89 (SQL Injection) pattern, specifically a blind ORDER BY injection. Because ORDER BY operates on the full result set including joined tables, an attacker can reference sensitive columns such as h.node_key from the hosts join. The cursor-based after parameter, designed for pagination, becomes the oracle mechanism: when after is lexicographically less than the current node_key value the query returns rows, and when it exceeds the value it returns none, leaking one character per request in a binary search. The node_key and orbit_node_key columns store the long-lived pre-shared secrets used by osquery and Orbit agents to authenticate all subsequent communications with the Fleet server.

RemediationAI

The primary remediation is upgrading Fleet to the patched release. The vendor advisory (https://github.com/fleetdm/fleet/security/advisories/GHSA-vxm7-9x8v-8gm4) identifies v4.85.0 as the patch release, while package metadata records the fix in 4.84.2 - verify which is correct for your release channel and upgrade to at least that version. If immediate upgrade is not feasible, restrict the Observer role exclusively to fully trusted personnel; this eliminates the authenticated attack surface without a code fix, but is an access-control mitigation only and does not address the underlying injection flaw. Additionally, rotate node_key and orbit_node_key for any hosts suspected of exposure by re-enrolling them - this invalidates any secrets an attacker may have already extracted and limits post-exploitation impact such as host impersonation. Re-enrollment causes a brief interruption in host check-in data during the re-enrollment window, which is an acceptable trade-off given the severity of secret exposure.

Share

CVE-2026-46370 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy