CVE-2026-22808
📋 TL;DR
This is a cross-site scripting (XSS) vulnerability in Fleet device management software that allows unauthenticated attackers to steal administrator authentication tokens when Windows MDM is enabled. The stolen tokens can grant unauthorized administrative access to Fleet, potentially compromising device data and configuration. Organizations using affected Fleet versions with Windows MDM enabled are at risk.
💻 Affected Systems
- fleetdm/fleet
📦 What is this software?
Fleet by Fleetdm
Fleet by Fleetdm
Fleet by Fleetdm
Fleet by Fleetdm
Fleet by Fleetdm
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of Fleet instance with administrative privileges, allowing attacker to view all device data, modify configurations, deploy malicious software to managed devices, and maintain persistent access.
Likely Case
Unauthorized access to Fleet administrative interface, enabling attacker to view sensitive device information and potentially modify configurations affecting managed endpoints.
If Mitigated
Limited impact with proper network segmentation and monitoring, though stolen credentials could still be used if attacker gains access to internal network.
🎯 Exploit Status
Exploitation requires Windows MDM to be enabled and involves XSS payload delivery to steal localStorage authentication tokens.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.78.2, 4.77.1, 4.76.2, 4.75.2, or 4.53.3
Vendor Advisory: https://github.com/fleetdm/fleet/security/advisories/GHSA-gfpw-jgvr-cw4j
Restart Required: Yes
Instructions:
1. Backup Fleet configuration and data. 2. Upgrade to one of the patched versions: 4.78.2, 4.77.1, 4.76.2, 4.75.2, or 4.53.3. 3. Restart Fleet services. 4. Verify upgrade completed successfully.
🔧 Temporary Workarounds
Disable Windows MDM
allTemporarily disable Windows Mobile Device Management feature in Fleet configuration
Edit Fleet configuration file to set 'mdm.enabled_windows' to false
Restart Fleet services after configuration change
🧯 If You Can't Patch
- Immediately disable Windows MDM feature in Fleet configuration
- Implement network segmentation to isolate Fleet instance from untrusted networks
🔍 How to Verify
Check if Vulnerable:
Check if Fleet version is below patched versions AND Windows MDM is enabled in configurationCheck Version:
fleetctl versionVerify Fix Applied:
Verify Fleet version is 4.78.2, 4.77.1, 4.76.2, 4.75.2, or 4.53.3 or higher📡 Detection & Monitoring
Log Indicators:
- Unusual authentication patterns
- Multiple failed login attempts followed by successful admin access
- Configuration changes from unexpected sources
Network Indicators:
- Unexpected outbound connections from Fleet server
- Suspicious HTTP requests to Fleet endpoints
SIEM Query:
source="fleet" AND (event="authentication" AND result="success" AND user="admin" AND src_ip NOT IN [trusted_ips])