CISA-2026-22808
Reported by GitHub_M · Published January 21, 2026
fleetdm/fleet is open source device management software. Prior to versions 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, if Windows MDM is enabled, an unauthenticated attacker can exploit this XSS vulnerability to steal a Fleet administrator's authentication token (FLEET::auth_token) from localStorage. This could allow unauthorized access to Fleet, including administrative access, visibility into device data, and modification of configuration. Versions 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 fix the issue. If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM.
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| fleetdm | fleet | >= 4.78.0, < 4.78.2, >= 4.77.0, < 4.77.1, >= 4.76.0, < 4.76.2 |
| fleetdm | fleet | >= 4.78.0, < 4.78.2, >= 4.77.0, < 4.77.1, >= 4.76.0, < 4.76.2 |
Timeline
- Jan 21, 2026 CVE Published
- Jan 22, 2026 CVE Updated
References
- https://github.com/fleetdm/fleet/security/advisories/GHSA-gfpw-jgvr-cw4j x_refsource_CONFIRM