CVE-2026-23517
📋 TL;DR
Fleet device management software versions before 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 have broken access control that allows any authenticated user, including low-privilege Observer roles, to access debug/profiling endpoints. This exposes internal server diagnostics and allows triggering resource-intensive operations that could cause denial of service.
💻 Affected Systems
- Fleet
📦 What is this software?
Fleet by Fleetdm
Fleet by Fleetdm
Fleet by Fleetdm
Fleet by Fleetdm
Fleet by Fleetdm
⚠️ Risk & Real-World Impact
Worst Case
Low-privilege authenticated users can access sensitive server internals, view runtime profiling data and in-memory application state, and trigger CPU-intensive profiling operations leading to denial of service.
Likely Case
Internal users with basic authentication can access debug endpoints to view server diagnostics and potentially degrade performance through profiling operations.
If Mitigated
Only authorized administrators can access debug endpoints for legitimate troubleshooting purposes.
🎯 Exploit Status
Exploitation requires valid authentication but minimal technical skill - just accessing known debug endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.78.3, 4.77.1, 4.76.2, 4.75.2, or 4.53.3
Vendor Advisory: https://github.com/fleetdm/fleet/security/advisories/GHSA-4r5r-ccr6-q6f6
Restart Required: Yes
Instructions:
1. Backup your Fleet configuration and database. 2. Stop Fleet service. 3. Upgrade to patched version using your deployment method (Docker, package manager, etc.). 4. Restart Fleet service. 5. Verify version and endpoint access controls.
🔧 Temporary Workarounds
IP Allowlist for Debug Endpoints
allRestrict access to debug/pprof endpoints to specific IP addresses using network controls or web server configuration.
# Example nginx configuration:
location /debug/pprof {
allow 10.0.0.0/8;
allow 192.168.0.0/16;
deny all;
}
🧯 If You Can't Patch
- Disable debug endpoints entirely in Fleet configuration if not needed for troubleshooting.
- Implement strict network segmentation to isolate Fleet management interface from regular user networks.
🔍 How to Verify
Check if Vulnerable:
Check if authenticated low-privilege user can access /debug/pprof endpoints or verify Fleet version is vulnerable.Check Version:
fleetctl version or check Fleet web interface version displayVerify Fix Applied:
Confirm low-privilege users cannot access /debug/pprof endpoints and verify running patched version.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to /debug/pprof endpoints
- High CPU usage from profiling operations
- Authentication logs showing Observer role users accessing debug paths
Network Indicators:
- HTTP requests to /debug/pprof/* from non-admin IP addresses
- Unusual traffic patterns to debug endpoints
SIEM Query:
source="fleet" AND (uri_path="/debug/pprof" OR uri_path="/debug/pprof/*") AND user_role!="admin"