CVE-2026-26060

Name of the Vulnerable Software and Affected Versions Fleet versions prior to 4.81.0

Description Fleet’s password management logic had a flaw that allowed previously issued password reset tokens to remain valid even after a user changed their password. This meant a stale token could be reused to reset the account password after a defensive password change. Exploitation requires prior compromise of a password reset token and is limited by the token’s 24-hour expiration period. The issue does not allow discovery of reset tokens, does not bypass authentication on its own, and does not affect accounts without an existing valid reset token.

Recommendations Versions prior to 4.81.0 should be updated to version 4.81.0 or later. As a temporary workaround, users who believe a password reset token may have been exposed should wait for the token to expire before reusing the account, or contact a Fleet administrator to invalidate active sessions.