CVE-2026-23998

Name of the Vulnerable Software and Affected Versions Fleet versions prior to 4.81.0

Description A flaw in the Windows MDM management endpoint allows requests to be processed without proper client certificate validation. The endpoint relies on mutual TLS (mTLS)—a process where both the client and server authenticate each other via certificates—to authenticate enrolled devices. In affected versions, requests lacking a client certificate may be incorrectly treated as trusted. An attacker with knowledge of a valid enrolled device identifier could impersonate that device to retrieve sensitive configuration payloads, such as VPN or Wi-Fi configuration data, certificates, or other secrets delivered through MDM profiles. This issue is limited to the targeted Windows device and does not grant administrative access to the control plane or allow the enrollment of new devices.

Recommendations Update to version 4.81.0. As a temporary workaround, disable Windows MDM.