Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2026-23518

Fleet has a JWT signature bypass vulnerability in Azure AD MDM enrollment
Back to all
CVE

CVE-2026-23518

Fleet has a JWT signature bypass vulnerability in Azure AD MDM enrollment

Summary

A vulnerability in Fleet’s Windows MDM enrollment flow could allow an attacker to submit forged authentication tokens that are not properly validated. Because JWT signatures were not verified, Fleet could accept attacker-controlled identity claims, enabling enrollment of unauthorized devices under arbitrary Azure AD user identities.

Impact

If Windows MDM is enabled, an attacker can enroll rogue devices by submitting a forged JWT containing arbitrary identity claims. Due to missing JWT signature verification, Fleet accepts these claims without validating that the token was issued by Azure AD, allowing enrollment under any Azure AD user identity.

Patches

  • 4.78.3
  • 4.77.1
  • 4.76.2
  • 4.75.2
  • 4.53.3

Workarounds

If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM.

For more information

If you have any questions or comments about this advisory:

Email us at security@fleetdm.com

Join #fleet in osquery Slack

Credits

We thank @secfox-ai for responsibly reporting this issue.

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
9.3
-
4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
C
H
U
9.8
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Related Resources

No items found.

References

https://github.com/fleetdm/fleet/security/advisories/GHSA-63m5-974w-448v, https://nvd.nist.gov/vuln/detail/CVE-2026-23518, https://github.com/fleetdm/fleet/commit/e225ef57912c8f4ac8977e24b5ebe1d9fd875257, https://github.com/fleetdm/fleet

Severity

9.8

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
9.8
EPSS Probability
0.00041%
EPSS Percentile
0.12401%
Introduced Version
4.78.0,v4.78.0,v4.77.0,v4.76.0,v4.36.0,v4.0.0-20230719163024-f429c6db4915
Fix Available
4.78.3,v4.78.3,v4.77.1,v4.76.2,v4.75.2,v4.0.0-20260112202845-e225ef57912c

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading