Skip to content

Commit 4064b05

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-4r5r-ccr6-q6f6 GHSA-63m5-974w-448v
1 parent 9e861a2 commit 4064b05

File tree

2 files changed

+274
-0
lines changed

2 files changed

+274
-0
lines changed

advisories/github-reviewed/2026/01/GHSA-4r5r-ccr6-q6f6/GHSA-4r5r-ccr6-q6f6.json

Lines changed: 137 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,137 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-4r5r-ccr6-q6f6",
4+
"modified": "2026-01-20T20:55:14Z",
5+
"published": "2026-01-20T20:55:14Z",
6+
"aliases": [
7+
"CVE-2026-23517"
8+
],
9+
"summary": "Fleet has an Access Control vulnerability in debug/pprof endpoints",
10+
"details": "### Impact\n\nFleet’s debug/pprof endpoints are accessible to any authenticated user regardless of role, including the lowest-privilege “Observer” role. This allows low-privilege users to access sensitive server internals, including runtime profiling data and in-memory application state, and to trigger CPU-intensive profiling operations that could lead to denial of service.\n\n### Patches\n\n- 4.78.3\n- 4.77.1\n- 4.76.2\n- 4.75.2\n- 4.53.3\n\n### Workarounds\n\nIf an immediate upgrade is not possible, users should put the debug/pprof endpoints behind an IP allowlist. \n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\nEmail us at [security@fleetdm.com](mailto:security@fleetdm.com)\nJoin #fleet in [osquery Slack](https://join.slack.com/t/osquery/shared_invite/zt-h29zm0gk-s2DBtGUTW4CFel0f0IjTEw)",
11+
"severity": [
12+
{
13+
"type": "CVSS_V4",
14+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Go",
21+
"name": "github.com/fleetdm/fleet"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "4.78.0"
29+
},
30+
{
31+
"fixed": "4.78.3"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "Go",
40+
"name": "github.com/fleetdm/fleet"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "4.77.0"
48+
},
49+
{
50+
"fixed": "4.77.1"
51+
}
52+
]
53+
}
54+
]
55+
},
56+
{
57+
"package": {
58+
"ecosystem": "Go",
59+
"name": "github.com/fleetdm/fleet"
60+
},
61+
"ranges": [
62+
{
63+
"type": "ECOSYSTEM",
64+
"events": [
65+
{
66+
"introduced": "4.76.0"
67+
},
68+
{
69+
"fixed": "4.76.2"
70+
}
71+
]
72+
}
73+
]
74+
},
75+
{
76+
"package": {
77+
"ecosystem": "Go",
78+
"name": "github.com/fleetdm/fleet"
79+
},
80+
"ranges": [
81+
{
82+
"type": "ECOSYSTEM",
83+
"events": [
84+
{
85+
"introduced": "4.75.0"
86+
},
87+
{
88+
"fixed": "4.75.2"
89+
}
90+
]
91+
}
92+
]
93+
},
94+
{
95+
"package": {
96+
"ecosystem": "Go",
97+
"name": "github.com/fleetdm/fleet/v4"
98+
},
99+
"ranges": [
100+
{
101+
"type": "ECOSYSTEM",
102+
"events": [
103+
{
104+
"introduced": "0"
105+
},
106+
{
107+
"fixed": "4.78.3-0.20260112221730-5c030e32a3a9"
108+
}
109+
]
110+
}
111+
]
112+
}
113+
],
114+
"references": [
115+
{
116+
"type": "WEB",
117+
"url": "https://github.com/fleetdm/fleet/security/advisories/GHSA-4r5r-ccr6-q6f6"
118+
},
119+
{
120+
"type": "WEB",
121+
"url": "https://github.com/fleetdm/fleet/commit/5c030e32a3a9bc512355b5e1bf19636e4e6d0317"
122+
},
123+
{
124+
"type": "PACKAGE",
125+
"url": "https://github.com/fleetdm/fleet"
126+
}
127+
],
128+
"database_specific": {
129+
"cwe_ids": [
130+
"CWE-863"
131+
],
132+
"severity": "HIGH",
133+
"github_reviewed": true,
134+
"github_reviewed_at": "2026-01-20T20:55:14Z",
135+
"nvd_published_at": null
136+
}
137+
}

advisories/github-reviewed/2026/01/GHSA-63m5-974w-448v/GHSA-63m5-974w-448v.json

Lines changed: 137 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,137 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-63m5-974w-448v",
4+
"modified": "2026-01-20T20:55:17Z",
5+
"published": "2026-01-20T20:55:17Z",
6+
"aliases": [
7+
"CVE-2026-23518"
8+
],
9+
"summary": "Fleet has a JWT signature bypass vulnerability in Azure AD MDM enrollment ",
10+
"details": "### Impact\n\nIf Windows MDM is enabled, an attacker can enroll rogue devices by submitting a forged JWT containing arbitrary identity claims. Due to missing JWT signature verification, Fleet accepts these claims without validating that the token was issued by Azure AD, allowing enrollment under any Azure AD user identity.\n\n### Patches\n\n- 4.78.3\n- 4.77.1\n- 4.76.2\n- 4.75.2\n- 4.53.3\n\n### Workarounds\n\nIf an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\nEmail us at [security@fleetdm.com](mailto:security@fleetdm.com)\nJoin #fleet in [osquery Slack](https://join.slack.com/t/osquery/shared_invite/zt-h29zm0gk-s2DBtGUTW4CFel0f0IjTEw)",
11+
"severity": [
12+
{
13+
"type": "CVSS_V4",
14+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Go",
21+
"name": "github.com/fleetdm/fleet"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "4.78.0"
29+
},
30+
{
31+
"fixed": "4.78.3"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "Go",
40+
"name": "github.com/fleetdm/fleet"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "4.77.0"
48+
},
49+
{
50+
"fixed": "4.77.1"
51+
}
52+
]
53+
}
54+
]
55+
},
56+
{
57+
"package": {
58+
"ecosystem": "Go",
59+
"name": "github.com/fleetdm/fleet"
60+
},
61+
"ranges": [
62+
{
63+
"type": "ECOSYSTEM",
64+
"events": [
65+
{
66+
"introduced": "4.76.0"
67+
},
68+
{
69+
"fixed": "4.76.2"
70+
}
71+
]
72+
}
73+
]
74+
},
75+
{
76+
"package": {
77+
"ecosystem": "Go",
78+
"name": "github.com/fleetdm/fleet"
79+
},
80+
"ranges": [
81+
{
82+
"type": "ECOSYSTEM",
83+
"events": [
84+
{
85+
"introduced": "4.75.0"
86+
},
87+
{
88+
"fixed": "4.75.2"
89+
}
90+
]
91+
}
92+
]
93+
},
94+
{
95+
"package": {
96+
"ecosystem": "Go",
97+
"name": "github.com/fleetdm/fleet"
98+
},
99+
"ranges": [
100+
{
101+
"type": "ECOSYSTEM",
102+
"events": [
103+
{
104+
"introduced": "0"
105+
},
106+
{
107+
"fixed": "4.43.5-0.20260112202845-e225ef57912c"
108+
}
109+
]
110+
}
111+
]
112+
}
113+
],
114+
"references": [
115+
{
116+
"type": "WEB",
117+
"url": "https://github.com/fleetdm/fleet/security/advisories/GHSA-63m5-974w-448v"
118+
},
119+
{
120+
"type": "WEB",
121+
"url": "https://github.com/fleetdm/fleet/commit/e225ef57912c8f4ac8977e24b5ebe1d9fd875257"
122+
},
123+
{
124+
"type": "PACKAGE",
125+
"url": "https://github.com/fleetdm/fleet"
126+
}
127+
],
128+
"database_specific": {
129+
"cwe_ids": [
130+
"CWE-347"
131+
],
132+
"severity": "CRITICAL",
133+
"github_reviewed": true,
134+
"github_reviewed_at": "2026-01-20T20:55:17Z",
135+
"nvd_published_at": null
136+
}
137+
}

0 commit comments

Comments
 (0)