Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionGitHub Advisory
Summary
Fleet contained a denial-of-service (DoS) issue in the gRPC Launcher PublishLogs endpoint. In affected versions, certain unexpected input values were not handled gracefully, which could cause the Fleet server process to terminate while processing an authenticated request from an enrolled Launcher host.
Impact
An authenticated attacker with access to any enrolled Launcher node key could cause an immediate and complete denial of service by sending a single gRPC request to the PublishLogs endpoint.
This vulnerability impacts availability only. There is:
- No exposure of sensitive data
- No authentication bypass
- No privilege escalation
- No integrity impact
Workarounds
If upgrading immediately is not possible, the following mitigations can reduce exposure:
- Restrict network access to the Fleet gRPC endpoint where feasible (for example, limiting inbound access to known host IP ranges).
- Deploy Fleet behind infrastructure that terminates or filters gRPC traffic if Launcher log ingestion is not required.
- Monitor for repeated Fleet process crashes or unexpected restarts indicating potential exploitation.
For More Information
If you have any questions or concerns about this advisory, please contact us at:
Email us at [security@fleetdm.com](mailto:security@fleetdm.com)
Credits
We thank @fuzzztf for responsibly reporting this issue.
AnalysisAI
Fleet server crashes from a single malformed gRPC request to the PublishLogs endpoint, allowing complete denial of service. An attacker with any enrolled Launcher node key can terminate the Fleet server process instantly via a crafted gRPC call. CVSS 8.7 (High) reflects the ease and impact, though exploitation requires prior enrollment of a Launcher host. Vendor-released patch version 4.81.0 available. No public exploit identified at time of analysis, but attack requires minimal sophistication given authenticated access.
Technical ContextAI
This vulnerability affects the gRPC-based Launcher log ingestion subsystem in Fleet (github.com/fleetdm/fleet/v4), specifically the PublishLogs endpoint. Fleet is an open-source device management platform that uses osquery for endpoint visibility, with Launcher serving as the enrollment and communication agent. The gRPC endpoint processes log uploads from enrolled Launcher hosts. The root cause is CWE-20 (Improper Input Validation): the server failed to sanitize or validate unexpected input values in gRPC messages, leading to unhandled exceptions that terminate the Go process. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N/VA:H) indicates network-accessible, low-complexity exploitation with high availability impact, though the description clarifies authentication is actually required via enrolled Launcher node keys, suggesting a potential CVSS vector discrepancy.
RemediationAI
Upgrade to Fleet v4.81.0 or later, which includes input validation fixes for the gRPC PublishLogs endpoint (vendor-released patch confirmed in release notes at https://github.com/fleetdm/fleet/releases/tag/fleet-v4.81.0). If immediate upgrade is not feasible, implement network segmentation to restrict gRPC endpoint access to known Launcher host IP ranges (reduces attack surface but does not prevent exploitation by compromised enrolled hosts). Alternative compensating control: deploy a gRPC-aware reverse proxy or WAF to filter malformed requests, though this requires deep gRPC protocol inspection capability and may introduce latency. If Launcher log ingestion is not operationally required, disable or firewall the gRPC endpoint entirely (this breaks log collection functionality). Monitor Fleet process health for unexpected crashes via process supervisor alerts as a detection-only control. No workaround fully mitigates the vulnerability without patching; compensating controls only reduce exposure in specific network topologies.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30375
GHSA-x67p-9m2r-fxqv