PT-2026-40979 · Fleet · Fleet

Fuzzztf

·

Published

2026-05-14

·

Updated

2026-06-25

·

CVE-2026-46356

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Name of the Vulnerable Software and Affected Versions Fleet versions prior to 4.80.1
Description An issue in the IP extraction logic allows unauthenticated attackers to bypass API rate limiting by spoofing client IP headers. The software extracts client IP addresses from request headers (True-Client-IP, X-Real-IP, X-Forwarded-For) without validating if they originate from a trusted proxy. Since the extracted IP serves as the key for rate limiting and IP ban decisions, an attacker can rotate these header values to make each request appear as if it comes from a different client. This enables unrestricted brute-force or credential stuffing attacks against sensitive endpoints, such as the login API. This primarily affects instances exposed to the public internet without a reverse proxy that overwrites forwarded-IP headers.
Recommendations Update to version 4.80.1. Deploy the software behind a reverse proxy that overwrites X-Forwarded-For with the true client IP and apply rate limiting at the proxy or WAF layer.

Exploit

Fix

Authentication Bypass by Spoofing

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-46356
GHSA-MXMP-WR3W-RVQX
GO-2026-5520

Affected Products

Fleet