CVE-2026-22808 is a cross-site scripting (XSS) vulnerability classified under CWE-79, found in the fleetdm fleet device management software. The flaw exists in versions prior to 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, specifically when Windows Mobile Device Management (MDM) is enabled. The vulnerability allows an unauthenticated attacker to inject malicious scripts during web page generation, which can execute in the context of the Fleet administrator's browser. This leads to theft of the administrator's authentication token (FLEET::auth_token) stored in localStorage. With this token, attackers can impersonate the administrator, gaining unauthorized access to the fleet management console. This access enables attackers to view sensitive device data, alter configurations, and potentially disrupt device management operations. Exploitation requires no authentication but does require user interaction, such as the administrator visiting a crafted malicious URL or page. The vulnerability has a CVSS 4.0 base score of 5.5, indicating medium severity, with network attack vector, low attack complexity, and partial required privileges and user interaction. No public exploits have been reported yet. The issue is fixed in the specified patched versions. If patching is not immediately possible, disabling Windows MDM temporarily is recommended to mitigate risk.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of device management operations. Fleetdm fleet is used to manage endpoints across enterprises, and unauthorized administrative access could lead to exposure of sensitive device information, unauthorized configuration changes, and potential disruption of endpoint management. This could impact compliance with data protection regulations such as GDPR if personal or sensitive data on managed devices is exposed. Organizations relying on Windows MDM integration with fleet are particularly vulnerable. The medium severity indicates that while the vulnerability is exploitable without authentication, it requires user interaction, somewhat limiting widespread exploitation. However, targeted attacks against administrators could lead to significant operational and security consequences. The lack of known exploits in the wild reduces immediate risk but does not eliminate it, especially as attackers may develop exploits post-disclosure.

1. Upgrade fleetdm fleet installations immediately to versions 4.78.2, 4.77.1, 4.76.2, 4.75.2, or 4.53.3 or later, which contain the fix for this vulnerability. 2. If immediate upgrading is not feasible, temporarily disable Windows MDM integration within fleet to prevent exploitation. 3. Educate administrators to avoid clicking on untrusted links or visiting suspicious web pages while logged into the fleet management console. 4. Implement Content Security Policy (CSP) headers to reduce the risk of XSS exploitation by restricting script sources. 5. Regularly audit and monitor fleet logs for unusual administrative access patterns that could indicate token theft or misuse. 6. Consider isolating fleet management consoles behind VPNs or restricted network access to reduce exposure to external attackers. 7. Review and limit browser localStorage usage and consider token expiration policies to reduce the window of token misuse.