CVE-2026-26061

Name of the Vulnerable Software and Affected Versions Fleet versions prior to 4.81.0

Description Fleet, an open source device management software, has multiple unauthenticated HTTP endpoints that do not enforce a size limit when reading request bodies. An unauthenticated attacker can exploit this by sending large or repeated HTTP payloads, leading to excessive memory allocation and a denial-of-service (DoS) condition. The issue impacts availability only, with no exposure of sensitive data, authentication bypass, privilege escalation, or integrity impact.

Recommendations Versions prior to 4.81.0 should be upgraded to version 4.81.0 or later. As a temporary workaround, apply request body size limits at a reverse proxy or load balancer (e.g., NGINX, Envoy). Restrict network access to the endpoints to known IP ranges where feasible. Monitor memory usage and restart frequency for abnormal patterns.