CVE-2026-24004 – This vulnerability in Fleet's Android MDM Pub/S... (How to Fix)

Q: What is the severity of CVE-2026-24004?

CVE-2026-24004 has a CVSS score of 5.3 (MEDIUM). This vulnerability in Fleet's Android MDM Pub/Sub handling allows unauthenticated attackers to trigger device unenrollment events, causing targeted Android devices to be removed from Fleet management. Only Fleet instances with Android MDM enabled are affected. The impact is limited to disruption of device management without granting access to Fleet or device data.

📋 TL;DR

This vulnerability in Fleet's Android MDM Pub/Sub handling allows unauthenticated attackers to trigger device unenrollment events, causing targeted Android devices to be removed from Fleet management. Only Fleet instances with Android MDM enabled are affected. The impact is limited to disruption of device management without granting access to Fleet or device data.

💻 Affected Systems

Products:

Fleet

Versions: All versions prior to 4.80.1

Operating Systems: All platforms running Fleet

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when Android MDM feature is enabled

📦 What is this software?

Fleet by Fleetdm

View all CVEs affecting Fleet →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could systematically unenroll all Android devices from Fleet management, causing complete loss of MDM control over Android fleet.

🟠

Likely Case

Targeted unenrollment of specific Android devices, disrupting management for those devices until manually re-enrolled.

🟢

If Mitigated

No impact if Android MDM is disabled or proper authentication controls are implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending crafted requests to Android Pub/Sub endpoint

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.80.1

Vendor Advisory: https://github.com/fleetdm/fleet/security/advisories/GHSA-9pm7-6g36-6j78

Restart Required: Yes

Instructions:

1. Backup Fleet configuration and data. 2. Upgrade Fleet to version 4.80.1 or later. 3. Restart Fleet services. 4. Verify Android MDM functionality.

🔧 Temporary Workarounds

Disable Android MDM

all

Temporarily disable Android Mobile Device Management feature

fleetctl config set --android_mdm_enabled false
systemctl restart fleet

🧯 If You Can't Patch

Disable Android MDM feature immediately
Implement network controls to restrict access to Android Pub/Sub endpoint

🔍 How to Verify

Check if Vulnerable:

Check if Fleet version is below 4.80.1 and Android MDM is enabled in configuration

Check Version:

fleetctl version

Verify Fix Applied:

Verify Fleet version is 4.80.1 or higher and test Android device enrollment/unenrollment

📡 Detection & Monitoring

Log Indicators:

Unauthenticated requests to /api/v1/fleet/android/pubsub endpoint
Unexpected device unenrollment events

Network Indicators:

HTTP POST requests to Android Pub/Sub endpoint without authentication headers

SIEM Query:

source="fleet" AND (uri_path="/api/v1/fleet/android/pubsub" AND http_status=200 AND NOT auth_token=*)

📊 Metadata

CVE ID: CVE-2026-24004

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-862

Published: February 26, 2026

Last Updated: March 2, 2026

🔗 References

https://github.com/fleetdm/fleet/security/advisories/GHSA-9pm7-6g36-6j78 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-24004, you might also want to check these: