CVE-2026-27465
📋 TL;DR
This vulnerability in Fleet device management software exposes Google Calendar service account credentials to authenticated low-privilege users. Attackers could gain unauthorized access to Google Calendar data and potentially other Google Workspace resources. Only Fleet instances with Google Calendar integration enabled are affected.
💻 Affected Systems
- Fleet
📦 What is this software?
Fleet by Fleetdm
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of Google Workspace resources associated with the service account, including calendar data, emails, documents, and administrative access depending on service account permissions.
Likely Case
Unauthorized access to Google Calendar data, potentially exposing sensitive meeting information, schedules, and confidential business communications.
If Mitigated
Limited to credential exposure without actual exploitation if credentials are rotated before use.
🎯 Exploit Status
Exploitation requires authenticated access but only needs low-privilege observer role. Simple API call to retrieve credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.80.1
Vendor Advisory: https://github.com/fleetdm/fleet/security/advisories/GHSA-2v6m-6xw3-6467
Restart Required: Yes
Instructions:
1. Upgrade Fleet to version 4.80.1 or later. 2. Restart Fleet services. 3. Verify the patch is applied by checking the version.
🔧 Temporary Workarounds
Disable Google Calendar Integration
allRemove Google Calendar integration from Fleet configuration to eliminate the vulnerability vector.
Edit Fleet configuration to remove Google Calendar integration settings
Restart Fleet services
🧯 If You Can't Patch
- Immediately rotate all Google service account credentials used by Fleet
- Disable Google Calendar integration in Fleet configuration and monitor for unauthorized access attempts
🔍 How to Verify
Check if Vulnerable:
Check if Fleet version is below 4.80.1 AND Google Calendar integration is enabled in configuration.Check Version:
fleetctl version or check Fleet web interface version displayVerify Fix Applied:
Verify Fleet version is 4.80.1 or higher and test that configuration API no longer returns service account credentials.📡 Detection & Monitoring
Log Indicators:
- Unusual API calls to configuration endpoints from observer role users
- Multiple failed authentication attempts followed by successful configuration API access
Network Indicators:
- Unusual outbound connections to Google APIs from Fleet server
- API requests to /api/v1/fleet/config endpoint from low-privilege accounts
SIEM Query:
source="fleet" AND (uri_path="/api/v1/fleet/config" OR event="configuration_access") AND user_role="observer"