PT-2026-40969 · Fleet · Fleet

Arthurgervais

+1

·

Published

2026-05-14

·

Updated

2026-06-25

·

CVE-2026-24899

CVSS v4.0

8.2

High

VectorAV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions Fleet versions prior to 4.82.0
Description A flaw in the Windows MDM enrollment flow allows authentication tokens from any Azure AD tenant to be accepted. The software validates JWT (JSON Web Token) signatures using Microsoft's multi-tenant JWKS endpoint but fails to enforce the aud (audience) or iss (issuer) claims. Consequently, any Microsoft-signed Azure AD access token with the required scopes can authenticate to MDM endpoints. An attacker with access to any Azure AD tenant can use a valid token to enroll unauthorized devices and interact with MDM management APIs. Additionally, sensitive enrollment secrets embedded in MDM command payloads may be exposed during device management, potentially leading to further unauthorized access.
Recommendations Update to version 4.82.0. As a temporary workaround, disable Windows MDM.

Exploit

Fix

Authentication Bypass by Spoofing

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-24899
GHSA-FFG9-J72F-J6XM
GO-2026-5358

Affected Products

Fleet