PT-2026-40979 · Fleet · Fleet
Fuzzztf
·
Published
2026-05-14
·
Updated
2026-06-25
·
CVE-2026-46356
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Fleet versions prior to 4.80.1
Description
An issue in the IP extraction logic allows unauthenticated attackers to bypass API rate limiting by spoofing client IP headers. The software extracts client IP addresses from request headers (
True-Client-IP, X-Real-IP, X-Forwarded-For) without validating if they originate from a trusted proxy. Since the extracted IP serves as the key for rate limiting and IP ban decisions, an attacker can rotate these header values to make each request appear as if it comes from a different client. This enables unrestricted brute-force or credential stuffing attacks against sensitive endpoints, such as the login API. This primarily affects instances exposed to the public internet without a reverse proxy that overwrites forwarded-IP headers.Recommendations
Update to version 4.80.1.
Deploy the software behind a reverse proxy that overwrites
X-Forwarded-For with the true client IP and apply rate limiting at the proxy or WAF layer.Exploit
Fix
Authentication Bypass by Spoofing
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Fleet