GHSA-X4QR-QW6H-WVXQ
Vulnerability from github – Published: 2026-06-12 21:00 – Updated: 2026-06-26 20:20Summary
A vulnerability in Fleet's Apple MDM commands listing endpoint allowed authenticated users with the lowest-privilege Observer role to extract sensitive values from joined database tables — including host enrollment secrets and Apple Push Notification Service (APNS) tokens — through a cursor-based binary search oracle. The endpoint accepted a user-supplied order_key parameter that was not validated against a column allowlist.
Impact
The GET /api/v1/fleet/mdm/apple/commands endpoint constructs its query using a deprecated helper that did not restrict which columns could appear in the ORDER BY clause. The underlying query joins the hosts and nano_enrollments tables, so any column on those tables could be supplied as order_key. An attacker with Observer credentials could then use the cursor-based pagination parameter (after) to binary-search the value of the chosen column one character at a time. The targeted values never appeared in the response body, but the presence or absence of results revealed each character.
With extracted node_key or orbit_node_key values, an attacker could impersonate enrolled hosts to Fleet's osquery and Orbit endpoints, submit fabricated host data, and retrieve pending scripts and commands. The APNS values are exploitable only by a party that also possesses the organization's APNS certificate.
Exploitation required authenticated Observer access and a Fleet deployment with Apple MDM enabled and at least one queued MDM command. Instances without Apple MDM configured were not affected.
Workarounds
If an immediate upgrade is not possible, administrators should:
- Restrict the Observer role to fully trusted users until the patch is applied
- Rotate
node_keyandorbit_node_keyfor any host suspected of exposure by re-enrolling the affected hosts
For more information
If there are any questions or comments about this advisory:
Email Fleet at security@fleetdm.com Join #fleet in osquery Slack
Credits
Fleet thanks the Security Team at Palantir Technologies for responsibly reporting this issue.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.84.1"
},
"package": {
"ecosystem": "Go",
"name": "github.com/fleetdm/fleet/v4"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.84.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-46371"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-89"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-12T21:00:48Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\n\nA vulnerability in Fleet\u0027s Apple MDM commands listing endpoint allowed authenticated users with the lowest-privilege Observer role to extract sensitive values from joined database tables \u2014 including host enrollment secrets and Apple Push Notification Service (APNS) tokens \u2014 through a cursor-based binary search oracle. The endpoint accepted a user-supplied `order_key` parameter that was not validated against a column allowlist.\n\n### Impact\n\nThe `GET /api/v1/fleet/mdm/apple/commands` endpoint constructs its query using a deprecated helper that did not restrict which columns could appear in the `ORDER BY` clause. The underlying query joins the `hosts` and `nano_enrollments` tables, so any column on those tables could be supplied as `order_key`. An attacker with Observer credentials could then use the cursor-based pagination parameter (`after`) to binary-search the value of the chosen column one character at a time. The targeted values never appeared in the response body, but the presence or absence of results revealed each character.\n\nWith extracted `node_key` or `orbit_node_key` values, an attacker could impersonate enrolled hosts to Fleet\u0027s osquery and Orbit endpoints, submit fabricated host data, and retrieve pending scripts and commands. The APNS values are exploitable only by a party that also possesses the organization\u0027s APNS certificate.\n\nExploitation required authenticated Observer access and a Fleet deployment with Apple MDM enabled and at least one queued MDM command. Instances without Apple MDM configured were not affected.\n\n### Workarounds\n\nIf an immediate upgrade is not possible, administrators should:\n\n- Restrict the Observer role to fully trusted users until the patch is applied\n- Rotate `node_key` and `orbit_node_key` for any host suspected of exposure by re-enrolling the affected hosts\n\n### For more information\n\nIf there are any questions or comments about this advisory:\n\nEmail Fleet at [security@fleetdm.com](mailto:security@fleetdm.com)\nJoin #fleet in [osquery Slack](https://join.slack.com/t/osquery/shared_invite/zt-h29zm0gk-s2DBtGUTW4CFel0f0IjTEw)\n\n### Credits\n\nFleet thanks the Security Team at Palantir Technologies for responsibly reporting this issue.",
"id": "GHSA-x4qr-qw6h-wvxq",
"modified": "2026-06-26T20:20:41Z",
"published": "2026-06-12T21:00:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/fleetdm/fleet/security/advisories/GHSA-x4qr-qw6h-wvxq"
},
{
"type": "PACKAGE",
"url": "https://github.com/fleetdm/fleet"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Fleet: Observer-level enrollment secret extraction via ORDER BY oracle on Apple MDM commands endpoint"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.