CVE-2026-23518

Name of the Vulnerable Software and Affected Versions Fleet versions prior to 4.53.3 Fleet versions 4.53.3 through 4.75.2 Fleet versions 4.75.2 through 4.76.2 Fleet versions 4.76.2 through 4.77.1 Fleet versions 4.77.1 through 4.78.3

Description A critical authentication issue exists in Fleet Device Management’s Windows MDM enrollment process. Attackers can bypass authentication by submitting unsigned or maliciously crafted JWTs. The system lacks JWT signature verification, accepting arbitrary identity claims without validating their origin from Azure AD. This allows enrollment of rogue devices under any Azure AD user identity.

Recommendations Upgrade to Fleet version 4.53.3 or later. If an immediate upgrade is not possible for versions 4.53.3 through 4.75.2, temporarily disable Windows MDM. If an immediate upgrade is not possible for versions 4.75.2 through 4.76.2, temporarily disable Windows MDM. If an immediate upgrade is not possible for versions 4.76.2 through 4.77.1, temporarily disable Windows MDM. If an immediate upgrade is not possible for versions 4.77.1 through 4.78.3, temporarily disable Windows MDM.