CVE-2026-25963

Name of the Vulnerable Software and Affected Versions Fleet versions prior to 4.80.1

Description Fleet’s certificate template deletion API had a broken authorization check. This allowed a team administrator to delete certificate templates belonging to other teams within the same Fleet instance. The issue stemmed from a validation flaw in the batch deletion endpoint, where the system used a user-supplied team identifier without verifying if the certificate template IDs being deleted actually belonged to that team. This could disrupt certificate-based workflows, including device enrollment, Wi-Fi authentication, VPN access, and other certificate-dependent configurations. The impact is limited to the integrity and availability of certificate templates across teams.

Recommendations Upgrade to Fleet version 4.80.1 or later. Restrict access to certificate template management to trusted users. Avoid delegating team administrator permissions where not strictly required.