CVE-2026-27465

Name of the Vulnerable Software and Affected Versions Fleet versions prior to 4.80.1

Description Fleet’s configuration API could expose Google Calendar service account credentials to authenticated users with low-privilege roles. This may allow unauthorized access to Google Calendar resources associated with the service account. The software returns configuration data through an API endpoint, accessible to authenticated users, including those with the “Observer” role. In affected versions, Google Calendar service account credentials were not properly obfuscated before being returned, allowing a low-privilege user to retrieve the service account’s private key material. This could allow unauthorized access to calendar data or other Google Workspace resources associated with the service account. The issue does not allow escalation of privileges within Fleet or access to device management functionality. The vulnerable API endpoint exposes the credentials.

Recommendations Upgrade to version 4.80.1 or later. If an immediate upgrade is not possible, remove the Google Calendar integration from Fleet and rotate the affected Google service account credentials.