GHSA-X67P-9M2R-FXQV

Vulnerability from github – Published: 2026-05-14 13:17 – Updated: 2026-05-15 23:45
VLAI?
Summary
Fleet server may terminate unexpectedly when handling certain gRPC requests
Details

Summary

Fleet contained a denial-of-service (DoS) issue in the gRPC Launcher PublishLogs endpoint. In affected versions, certain unexpected input values were not handled gracefully, which could cause the Fleet server process to terminate while processing an authenticated request from an enrolled Launcher host.

Impact

An authenticated attacker with access to any enrolled Launcher node key could cause an immediate and complete denial of service by sending a single gRPC request to the PublishLogs endpoint.

This vulnerability impacts availability only. There is:

  • No exposure of sensitive data
  • No authentication bypass
  • No privilege escalation
  • No integrity impact

Workarounds

If upgrading immediately is not possible, the following mitigations can reduce exposure:

  • Restrict network access to the Fleet gRPC endpoint where feasible (for example, limiting inbound access to known host IP ranges).
  • Deploy Fleet behind infrastructure that terminates or filters gRPC traffic if Launcher log ingestion is not required.
  • Monitor for repeated Fleet process crashes or unexpected restarts indicating potential exploitation.

For More Information

If you have any questions or concerns about this advisory, please contact us at:

Email us at security@fleetdm.com

Credits

We thank @fuzzztf for responsibly reporting this issue.

Severity ?
8.7 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/fleetdm/fleet/v4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.81.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-26062"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-14T13:17:18Z",
    "nvd_published_at": "2026-05-14T20:17:02Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nFleet contained a denial-of-service (DoS) issue in the gRPC Launcher `PublishLogs` endpoint. In affected versions, certain unexpected input values were not handled gracefully, which could cause the Fleet server process to terminate while processing an authenticated request from an enrolled Launcher host.\n\n### Impact\n\nAn authenticated attacker with access to any enrolled Launcher node key could cause an immediate and complete denial of service by sending a single gRPC request to the `PublishLogs` endpoint.\n\nThis vulnerability impacts **availability only**. There is:\n\n- No exposure of sensitive data\n- No authentication bypass\n- No privilege escalation\n- No integrity impact\n\n### Workarounds\n\nIf upgrading immediately is not possible, the following mitigations can reduce exposure:\n\n- Restrict network access to the Fleet gRPC endpoint where feasible (for example, limiting inbound access to known host IP ranges).\n- Deploy Fleet behind infrastructure that terminates or filters gRPC traffic if Launcher log ingestion is not required.\n- Monitor for repeated Fleet process crashes or unexpected restarts indicating potential exploitation.\n\n### For More Information\n\nIf you have any questions or concerns about this advisory, please contact us at:\n\nEmail us at [security@fleetdm.com](mailto:security@fleetdm.com)\n\n### Credits\n\nWe thank @fuzzztf for responsibly reporting this issue.",
  "id": "GHSA-x67p-9m2r-fxqv",
  "modified": "2026-05-15T23:45:30Z",
  "published": "2026-05-14T13:17:18Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/fleetdm/fleet/security/advisories/GHSA-x67p-9m2r-fxqv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26062"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/fleetdm/fleet"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fleetdm/fleet/releases/tag/fleet-v4.81.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Fleet server may terminate unexpectedly when handling certain gRPC requests"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.