Login Sign Up

CVE-2020-26276

10.0 CRITICAL
Authentication Bypass

📋 TL;DR

This vulnerability allows attackers to modify trusted SAML responses in Fleet osquery manager, enabling unauthorized logins through SSO authentication. It affects Fleet users who have configured SSO login with SAML IdP. The issue stems from Go's standard library XML parsing flaws.

💻 Affected Systems

Products:
  • Fleet osquery manager
Versions: All versions before 3.5.1
Operating Systems: All platforms running Fleet
Default Config Vulnerable: ✅ No
Notes: Only affects users who have configured SSO authentication with SAML. Default installations without SSO are not vulnerable.

📦 What is this software?

Fleet by Fleetdm

View all CVEs affecting Fleet →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete authentication bypass allowing unauthorized access to Fleet management console, potentially leading to compromise of all managed osquery endpoints.

🟠

Likely Case

Unauthorized users gaining access to Fleet dashboard with privileges matching the modified SAML response, enabling them to view/manage osquery data.

🟢

If Mitigated

No impact if SSO is disabled or patch is applied; authentication remains secure.

🌐 Internet-Facing: HIGH - Fleet instances exposed to internet with SSO enabled are directly vulnerable to authentication bypass.
🏢 Internal Only: MEDIUM - Internal Fleet instances with SSO enabled remain vulnerable to internal attackers or compromised accounts.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires intercepting/modifying SAML responses, but the XML parsing vulnerability makes this straightforward for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.5.1

Vendor Advisory: https://github.com/fleetdm/fleet/security/advisories/GHSA-w3wf-cfx3-6gcx

Restart Required: Yes

Instructions:

1. Backup current Fleet configuration. 2. Stop Fleet service. 3. Upgrade to Fleet 3.5.1 or later. 4. Restart Fleet service. 5. Verify SSO authentication works correctly.

🔧 Temporary Workarounds

Disable SSO Authentication

all

Temporarily disable SAML-based SSO authentication until patching is possible

Edit Fleet configuration to remove or comment out SSO settings
Restart Fleet service

🧯 If You Can't Patch

  • Disable SSO authentication entirely in Fleet configuration
  • Implement network segmentation to restrict access to Fleet instance

🔍 How to Verify

Check if Vulnerable:

Check Fleet version: if version < 3.5.1 AND SSO is configured, system is vulnerable.

Check Version:

fleetctl version or check Fleet web interface version info

Verify Fix Applied:

Verify Fleet version is 3.5.1 or later and test SSO authentication with valid/invalid credentials.

📡 Detection & Monitoring

Log Indicators:

  • Failed SSO login attempts with modified XML
  • Successful logins from unexpected users via SSO
  • XML parsing errors in authentication logs

Network Indicators:

  • Unusual SAML response modifications
  • XML injection attempts in authentication traffic

SIEM Query:

source="fleet" AND (event="authentication_failure" OR event="sso_login") AND (message="*XML*" OR message="*SAML*")

📊 Metadata

CVE ID: CVE-2020-26276
CVSS v3 Score: 10.0 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-290
Published: December 17, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-26276, you might also want to check these:

CVE-2025-66570 10.0

This vulnerability in cpp-httplib allows attackers to inject HTTP headers (REMOTE_ADDR, REMOTE_PORT,...

Same vulnerability type (CWE-290)
CVE-2022-2310 10.0

CVE-2022-2310 is an authentication bypass vulnerability in Skyhigh Secure Web Gateway (SWG) that all...

Same vulnerability type (CWE-290)
CVE-2020-7388 10.0

CVE-2020-7388 is an unauthenticated remote command execution vulnerability in Sage X3's AdxDSrv.exe ...

Same vulnerability type (CWE-290)