CVE-2026-34389

Name of the Vulnerable Software and Affected Versions Fleet versions prior to 4.81.0

Description Fleet, an open source device management software, had a flaw in how user invitations were handled. Specifically, the email address entered when accepting an invitation wasn’t checked against the email address linked to the original invitation. This allowed an attacker with a valid invite token to create an account using any email address and gain the role assigned to the invitation, potentially including global administrator privileges.

Recommendations Update to version 4.81.0 or later.