A broken access control issue in Fleet allowed authenticated users to access debug and profiling endpoints regardless of role. As a result, low-privilege users could view internal server diagnostics and trigger resource-intensive profiling operations.

Fleet’s debug/pprof endpoints are accessible to any authenticated user regardless of role, including the lowest-privilege “Observer” role. This allows low-privilege users to access sensitive server internals, including runtime profiling data and in-memory application state, and to trigger CPU-intensive profiling operations that could lead to denial of service.

If an immediate upgrade is not possible, users should put the debug/pprof endpoints behind an IP allowlist.

If you have any questions or comments about this advisory:

Email us at security@fleetdm.com Join #fleet in [osquery Slack](https://join.slack.com/t/osquery/shared invite/zt-h29zm0gk-s2DBtGUTW4CFel0f0IjTEw)

We thank @secfox-ai for responsibly reporting this issue.