Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
Fleet is open source device management software. Prior to 4.81.0, Fleet contained an issue in the user invitation flow where the email address provided during invite acceptance was not validated against the email address associated with the invite. An attacker who obtained a valid invite token could create an account under an arbitrary email address while inheriting the role granted by the invite, including global admin. Version 4.81.0 patches the issue.
AnalysisAI
Fleet device management software prior to version 4.81.0 allows privilege escalation through email validation bypass in the user invitation flow. An attacker with a valid invite token can create an account using an arbitrary email address while retaining the role permissions granted by the invite, potentially obtaining global admin access. No public exploit code or active exploitation has been identified at the time of analysis.
Technical ContextAI
The vulnerability exists in Fleet's user invitation acceptance mechanism, which fails to validate that the email address entered during account creation matches the email address associated with the original invite token. This represents an authentication and authorization control failure (CWE-287: Improper Authentication) where the application trusts user-supplied email input without cross-referencing it against the legitimate invite recipient. The vulnerability affects Fleet across all versions prior to 4.81.0, as indicated by the CPE string cpe:2.3:a:fleetdm:fleet:*:*:*:*:*:*:*:*. The root cause is insufficient input validation and email address binding during the invitation acceptance workflow, allowing an attacker to decouple the invite token from its intended recipient.
RemediationAI
Organizations must upgrade Fleet to version 4.81.0 or later, which patches the email validation bypass in the invitation acceptance workflow. The primary mitigation is to perform an immediate upgrade by deploying Fleet 4.81.0 from the official repository. For organizations unable to patch immediately, review and revoke all pending user invitations and monitor for unauthorized account creation, particularly accounts with elevated privileges. For detailed upgrade instructions and to confirm your current version, consult the Fleet repository and the security advisory at https://github.com/fleetdm/fleet/security/advisories/GHSA-4f9r-x588-pp2h. After patching, audit existing user accounts and roles to ensure no unauthorized admin accounts were created via this vulnerability.
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16797
GHSA-4f9r-x588-pp2h