Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 0c4b8e0a41b6 · 2026-01-21T16:52:33.000Z
GHSA-52jx-g6m5-h735 GHSA-4r5r-ccr6-q6f6 GHSA-63m5-974w-448v GHSA-gfpw-jgvr-cw4j GHSA-qvr7-7g55-69xj
diff --git a/advisories/github-reviewed/2025/03/GHSA-52jx-g6m5-h735/GHSA-52jx-g6m5-h735.json b/advisories/github-reviewed/2025/03/GHSA-52jx-g6m5-h735/GHSA-52jx-g6m5-h735.json
@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-52jx-g6m5-h735",
-  "modified": "2025-03-14T20:32:17Z",
+  "modified": "2026-01-21T16:51:42Z",
   "published": "2025-03-06T19:12:27Z",
   "aliases": [
     "CVE-2025-27509"
   ],
   "summary": "Fleet has SAML authentication vulnerability due to improper SAML response validation",
-  "details": "### Impact\n\nIn vulnerable versions of Fleet, an attacker could craft a specially-formed SAML response to:\n\n- Forge authentication assertions, potentially impersonating legitimate users.\n- If Just-In-Time (JIT) provisioning is enabled, the attacker could provision a new administrative user account.\n- If MDM enrollment is enabled, certain endpoints could be used to create new accounts tied to forged assertions.\n\nThis could allow unauthorized access to Fleet, including administrative access, visibility into device data, and modification of configuration. \n\n### Patches\n\nThis issue is addressed in commit [fc96cc4](https://github.com/fleetdm/fleet/commit/fc96cc4e91047250afb12f65ad70e90b30a7fb1c) and is available in Fleet version 4.64.2.\n\nThe following backport versions also address this issue: \n\n- 4.63.2\n- 4.62.4\n- 4.58.1\n- 4.53.2\n\n### Workarounds\n\nIf an immediate upgrade is not possible, Fleet users should temporarily disable [single-sign-on (SSO)](https://fleetdm.com/docs/deploy/single-sign-on-sso) and use password authentication.\n\n### Credit\n\nThank you @hakivvi, as well as Jeffrey Hofmann and Colby Morgan from the Robinhood Red Team for finding and reporting this vulnerability using our [responsible disclosure process](https://github.com/fleetdm/fleet/blob/main/SECURITY.md).\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n- Email us at security@fleetdm.com\n- Join #fleet in [osquery Slack](https://join.slack.com/t/osquery/shared_invite/zt-h29zm0gk-s2DBtGUTW4CFel0f0IjTEw)",
+  "details": "### Summary\n\nA vulnerability in Fleet’s SAML authentication handling could allow an attacker to forge authentication assertions and gain unauthorized access to Fleet. In certain configurations, this could result in the creation of new user accounts, including administrative accounts. This issue affects Fleet deployments using single sign-on (SSO).\n\n### Impact\n\nIn vulnerable versions of Fleet, an attacker could craft a specially-formed SAML response to:\n\n- Forge authentication assertions, potentially impersonating legitimate users.\n- If Just-In-Time (JIT) provisioning is enabled, the attacker could provision a new administrative user account.\n- If MDM enrollment is enabled, certain endpoints could be used to create new accounts tied to forged assertions.\n\nThis could allow unauthorized access to Fleet, including administrative access, visibility into device data, and modification of configuration. \n\n### Patches\n\nThis issue is addressed in commit [fc96cc4](https://github.com/fleetdm/fleet/commit/fc96cc4e91047250afb12f65ad70e90b30a7fb1c) and is available in Fleet version 4.64.2.\n\nThe following backport versions also address this issue: \n\n- 4.63.2\n- 4.62.4\n- 4.58.1\n- 4.53.2\n\n### Workarounds\n\nIf an immediate upgrade is not possible, Fleet users should temporarily disable [single-sign-on (SSO)](https://fleetdm.com/docs/deploy/single-sign-on-sso) and use password authentication.\n\n### Credit\n\nThank you @hakivvi, as well as Jeffrey Hofmann and Colby Morgan from the Robinhood Red Team for finding and reporting this vulnerability using our [responsible disclosure process](https://github.com/fleetdm/fleet/blob/main/SECURITY.md).\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n- Email us at security@fleetdm.com\n- Join #fleet in [osquery Slack](https://join.slack.com/t/osquery/shared_invite/zt-h29zm0gk-s2DBtGUTW4CFel0f0IjTEw)",
   "severity": [
     {
       "type": "CVSS_V4",
diff --git a/advisories/github-reviewed/2026/01/GHSA-4r5r-ccr6-q6f6/GHSA-4r5r-ccr6-q6f6.json b/advisories/github-reviewed/2026/01/GHSA-4r5r-ccr6-q6f6/GHSA-4r5r-ccr6-q6f6.json
@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-4r5r-ccr6-q6f6",
-  "modified": "2026-01-20T20:55:14Z",
+  "modified": "2026-01-21T16:51:25Z",
   "published": "2026-01-20T20:55:14Z",
   "aliases": [
     "CVE-2026-23517"
   ],
   "summary": "Fleet has an Access Control vulnerability in debug/pprof endpoints",
-  "details": "### Impact\n\nFleet’s debug/pprof endpoints are accessible to any authenticated user regardless of role, including the lowest-privilege “Observer” role. This allows low-privilege users to access sensitive server internals, including runtime profiling data and in-memory application state, and to trigger CPU-intensive profiling operations that could lead to denial of service.\n\n### Patches\n\n- 4.78.3\n- 4.77.1\n- 4.76.2\n- 4.75.2\n- 4.53.3\n\n### Workarounds\n\nIf an immediate upgrade is not possible, users should put the debug/pprof endpoints behind an IP allowlist. \n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\nEmail us at [security@fleetdm.com](mailto:security@fleetdm.com)\nJoin #fleet in [osquery Slack](https://join.slack.com/t/osquery/shared_invite/zt-h29zm0gk-s2DBtGUTW4CFel0f0IjTEw)",
+  "details": "### Summary\n\nA broken access control issue in Fleet allowed authenticated users to access debug and profiling endpoints regardless of role. As a result, low-privilege users could view internal server diagnostics and trigger resource-intensive profiling operations.\n\n### Impact\n\nFleet’s debug/pprof endpoints are accessible to any authenticated user regardless of role, including the lowest-privilege “Observer” role. This allows low-privilege users to access sensitive server internals, including runtime profiling data and in-memory application state, and to trigger CPU-intensive profiling operations that could lead to denial of service.\n\n### Patches\n\n- 4.78.3\n- 4.77.1\n- 4.76.2\n- 4.75.2\n- 4.53.3\n\n### Workarounds\n\nIf an immediate upgrade is not possible, users should put the debug/pprof endpoints behind an IP allowlist. \n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\nEmail us at [security@fleetdm.com](mailto:security@fleetdm.com)\nJoin #fleet in [osquery Slack](https://join.slack.com/t/osquery/shared_invite/zt-h29zm0gk-s2DBtGUTW4CFel0f0IjTEw)\n\n### Credits\n\nWe thank @secfox-ai for responsibly reporting this issue.",
   "severity": [
     {
       "type": "CVSS_V4",
diff --git a/advisories/github-reviewed/2026/01/GHSA-63m5-974w-448v/GHSA-63m5-974w-448v.json b/advisories/github-reviewed/2026/01/GHSA-63m5-974w-448v/GHSA-63m5-974w-448v.json
@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-63m5-974w-448v",
-  "modified": "2026-01-20T20:55:17Z",
+  "modified": "2026-01-21T16:51:12Z",
   "published": "2026-01-20T20:55:17Z",
   "aliases": [
     "CVE-2026-23518"
   ],
   "summary": "Fleet has a JWT signature bypass vulnerability in Azure AD MDM enrollment ",
-  "details": "### Impact\n\nIf Windows MDM is enabled, an attacker can enroll rogue devices by submitting a forged JWT containing arbitrary identity claims. Due to missing JWT signature verification, Fleet accepts these claims without validating that the token was issued by Azure AD, allowing enrollment under any Azure AD user identity.\n\n### Patches\n\n- 4.78.3\n- 4.77.1\n- 4.76.2\n- 4.75.2\n- 4.53.3\n\n### Workarounds\n\nIf an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\nEmail us at [security@fleetdm.com](mailto:security@fleetdm.com)\nJoin #fleet in [osquery Slack](https://join.slack.com/t/osquery/shared_invite/zt-h29zm0gk-s2DBtGUTW4CFel0f0IjTEw)",
+  "details": "### Summary\n\nA vulnerability in Fleet’s Windows MDM enrollment flow could allow an attacker to submit forged authentication tokens that are not properly validated. Because JWT signatures were not verified, Fleet could accept attacker-controlled identity claims, enabling enrollment of unauthorized devices under arbitrary Azure AD user identities.\n\n### Impact\n\nIf Windows MDM is enabled, an attacker can enroll rogue devices by submitting a forged JWT containing arbitrary identity claims. Due to missing JWT signature verification, Fleet accepts these claims without validating that the token was issued by Azure AD, allowing enrollment under any Azure AD user identity.\n\n### Patches\n\n- 4.78.3\n- 4.77.1\n- 4.76.2\n- 4.75.2\n- 4.53.3\n\n### Workarounds\n\nIf an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\nEmail us at [security@fleetdm.com](mailto:security@fleetdm.com)\nJoin #fleet in [osquery Slack](https://join.slack.com/t/osquery/shared_invite/zt-h29zm0gk-s2DBtGUTW4CFel0f0IjTEw)\n\n### Credits\n\nWe thank @secfox-ai for responsibly reporting this issue.",
   "severity": [
     {
       "type": "CVSS_V4",
diff --git a/advisories/github-reviewed/2026/01/GHSA-gfpw-jgvr-cw4j/GHSA-gfpw-jgvr-cw4j.json b/advisories/github-reviewed/2026/01/GHSA-gfpw-jgvr-cw4j/GHSA-gfpw-jgvr-cw4j.json
@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-gfpw-jgvr-cw4j",
-  "modified": "2026-01-20T20:52:17Z",
+  "modified": "2026-01-21T16:50:59Z",
   "published": "2026-01-20T20:52:17Z",
   "aliases": [
     "CVE-2026-22808"
   ],
   "summary": "Fleet Windows MDM endpoint has a Cross-site Scripting vulnerability",
-  "details": "### Impact\n\nIf Windows MDM is enabled, an attacker could exploit a cross-site scripting (XSS) vulnerability by convincing an authenticated Fleet user to visit a malicious link. Successful exploitation could allow retrieval of the user’s Fleet authentication token from their browser.\n\nA compromised authentication token may grant administrative access to the Fleet API, allowing an attacker to perform privileged actions such as deploying scripts to managed hosts.\n\nThis issue does not allow unauthenticated access and does not affect instances where Windows MDM is disabled.\n\n### Patches\n\n- 4.78.2\n- 4.77.1\n- 4.76.2\n- 4.75.2\n- 4.53.3\n\n### Workarounds\n\nIf an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\nEmail us at [security@fleetdm.com](mailto:security@fleetdm.com)\nJoin #fleet in [osquery Slack](https://join.slack.com/t/osquery/shared_invite/zt-h29zm0gk-s2DBtGUTW4CFel0f0IjTEw)",
+  "details": "### Summary\n\nA cross-site scripting (XSS) vulnerability in Fleet’s Windows MDM authentication flow could allow an attacker to compromise a Fleet user account. In certain cases, this could lead to administrative access and the ability to perform privileged actions on managed devices.\n\n### Impact\n\nIf Windows MDM is enabled, an attacker could exploit a cross-site scripting (XSS) vulnerability by convincing an authenticated Fleet user to visit a malicious link. Successful exploitation could allow retrieval of the user’s Fleet authentication token from their browser.\n\nA compromised authentication token may grant administrative access to the Fleet API, allowing an attacker to perform privileged actions such as deploying scripts to managed hosts.\n\nThis issue does not allow unauthenticated access and does not affect instances where Windows MDM is disabled.\n\n### Patches\n\n- 4.78.2\n- 4.77.1\n- 4.76.2\n- 4.75.2\n- 4.53.3\n\n### Workarounds\n\nIf an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\nEmail us at [security@fleetdm.com](mailto:security@fleetdm.com)\nJoin #fleet in [osquery Slack](https://join.slack.com/t/osquery/shared_invite/zt-h29zm0gk-s2DBtGUTW4CFel0f0IjTEw)\n\n### Credits\n\nWe thank @secfox-ai for responsibly reporting this issue.",
   "severity": [
     {
       "type": "CVSS_V4",
diff --git a/advisories/github-reviewed/2026/01/GHSA-qvr7-7g55-69xj/GHSA-qvr7-7g55-69xj.json b/advisories/github-reviewed/2026/01/GHSA-qvr7-7g55-69xj/GHSA-qvr7-7g55-69xj.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-qvr7-7g55-69xj",
-  "modified": "2026-01-14T21:15:43Z",
+  "modified": "2026-01-21T16:52:07Z",
   "published": "2026-01-14T21:15:43Z",
   "aliases": [
     "CVE-2026-23492"
@@ -62,6 +62,10 @@
       "type": "WEB",
       "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-qvr7-7g55-69xj"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23492"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/pimcore/pimcore/commit/25ad8674886f2b938243cbe13e33e204a2e35cc3"
@@ -82,6 +86,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-01-14T21:15:43Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-01-14T19:16:48Z"
   }
 }
