CVE-2026-23517

Name of the Vulnerable Software and Affected Versions Fleet versions prior to 4.53.3 Fleet versions 4.53.3 through 4.75.2 Fleet versions 4.75.2 through 4.76.2 Fleet versions 4.76.2 through 4.77.1 Fleet versions 4.77.1 through 4.78.3

Description Fleet, an open source device management software, has an issue with access control. Authenticated users, even those with limited privileges, could access debug and profiling endpoints without proper authorization. This allowed access to internal server diagnostics and the ability to initiate resource-intensive profiling operations. Specifically, the debug/pprof endpoints were accessible to all authenticated users, including those with the “Observer” role. This access provided visibility into sensitive server internals, such as runtime profiling data and in-memory application state, and enabled the triggering of CPU-intensive profiling operations that could potentially cause a denial of service.

Recommendations Fleet versions prior to 4.53.3 should be upgraded to a fixed version. Fleet versions 4.53.3 through 4.75.2 should be upgraded to a fixed version. Fleet versions 4.75.2 through 4.76.2 should be upgraded to a fixed version. Fleet versions 4.76.2 through 4.77.1 should be upgraded to a fixed version. Fleet versions 4.77.1 through 4.78.3 should be upgraded to a fixed version. If an immediate upgrade is not possible, implement an IP allowlist for the debug/pprof endpoints.