GHSA-PPWX-5JQ7-PX2W

Vulnerability from github – Published: 2026-02-26 19:35 – Updated: 2026-02-26 19:35
VLAI?
Summary
Fleet: Device lock PIN can be predicted if lock time is known
Details

Summary

Fleet generated device lock and wipe PINs using a predictable algorithm based solely on the current Unix timestamp. Because no secret key or additional entropy was used, the resulting PIN could potentially be derived if the approximate time the device was locked is known.

Impact

Fleet’s device lock and wipe commands generate a 6-digit PIN that is displayed to administrators for unlocking a device. In affected versions, this PIN was deterministically derived from the current timestamp.

An attacker with physical possession of a locked device and knowledge of the approximate time the lock command was issued could theoretically predict the correct PIN within a limited search window.

However, successful exploitation is constrained by multiple factors: - Physical access to the device is required. - The approximate lock time must be known. - The operating system enforces rate limiting on PIN entry attempts. - Attempts would need to be spread over multiple days. - Device wipe operations would typically complete before sufficient attempts could be made.

As a result, this issue does not allow remote exploitation, fleet-wide compromise, or bypass of Fleet authentication controls.

Workarounds

There are no known workarounds for this issue. Customers should upgrade to a patched version.

For more information

If there are any questions or comments about this advisory:

Email Fleet at security@fleetdm.com Join #fleet in osquery Slack

Credits

Fleet thanks @secfox-ai for responsibly reporting this issue.

Severity ?
4.1 (Medium)
CVSS:4.0/AV:P/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/fleetdm/fleet/v4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.80.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-23999"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-330"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-26T19:35:29Z",
    "nvd_published_at": "2026-02-26T03:16:04Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nFleet generated device lock and wipe PINs using a predictable algorithm based solely on the current Unix timestamp. Because no secret key or additional entropy was used, the resulting PIN could potentially be derived if the approximate time the device was locked is known.\n\n### Impact\n\nFleet\u2019s device lock and wipe commands generate a 6-digit PIN that is displayed to administrators for unlocking a device. In affected versions, this PIN was deterministically derived from the current timestamp.\n\nAn attacker with physical possession of a locked device and knowledge of the approximate time the lock command was issued could theoretically predict the correct PIN within a limited search window.\n\nHowever, successful exploitation is constrained by multiple factors:\n- Physical access to the device is required.\n- The approximate lock time must be known.\n- The operating system enforces rate limiting on PIN entry attempts.\n- Attempts would need to be spread over multiple days.\n- Device wipe operations would typically complete before sufficient attempts could be made.\n\nAs a result, this issue does not allow remote exploitation, fleet-wide compromise, or bypass of Fleet authentication controls.\n\n### Workarounds\n\nThere are no known workarounds for this issue. Customers should upgrade to a patched version.\n\n### For more information\n\nIf there are any questions or comments about this advisory:\n\nEmail Fleet at [security@fleetdm.com](mailto:security@fleetdm.com)\nJoin #fleet in [osquery Slack](https://join.slack.com/t/osquery/shared_invite/zt-h29zm0gk-s2DBtGUTW4CFel0f0IjTEw)\n\n### Credits\n\nFleet thanks @secfox-ai for responsibly reporting this issue.",
  "id": "GHSA-ppwx-5jq7-px2w",
  "modified": "2026-02-26T19:35:29Z",
  "published": "2026-02-26T19:35:29Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/fleetdm/fleet/security/advisories/GHSA-ppwx-5jq7-px2w"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23999"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fleetdm/fleet/commit/05ca0693621e6671fb95dfc5437b9f9ee6dd7047"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/fleetdm/fleet"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:P/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Fleet: Device lock PIN can be predicted if lock time is known"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.