Fleet is an open-source device management platform widely used for managing and monitoring endpoints. CVE-2026-23517 is a broken access control vulnerability classified under CWE-862, affecting multiple versions of Fleet prior to the patched releases 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3. The issue arises because Fleet’s debug and pprof (profiling) endpoints are accessible to any authenticated user regardless of their assigned role, including the lowest-privilege 'Observer' role. These endpoints expose sensitive internal server diagnostics such as runtime profiling data and in-memory application state, which can reveal critical information about the server’s operation and potentially aid attackers in crafting further attacks. Additionally, these endpoints allow triggering CPU-intensive profiling operations, which can degrade server performance or cause denial of service by exhausting resources. The vulnerability requires authentication but no further user interaction, and it can be exploited remotely over the network. The CVSS v4.0 score is 6.3 (medium severity), reflecting the moderate impact on confidentiality, integrity, and availability, combined with low attack complexity and no user interaction needed. No known exploits have been reported in the wild as of the publication date. The recommended remediation is to upgrade to the fixed versions listed or, if immediate upgrade is not feasible, restrict access to the debug/pprof endpoints via IP allowlisting to limit exposure.

For European organizations using Fleet for device management, this vulnerability poses a risk of unauthorized information disclosure and potential denial of service. Low-privilege users or compromised accounts can gain access to sensitive server internals, which may facilitate further exploitation or lateral movement within the network. The ability to trigger resource-intensive profiling operations can degrade system performance or cause outages, impacting operational continuity. Organizations relying on Fleet for managing critical infrastructure or sensitive data may face increased risk of service disruption and data leakage. Given Fleet’s role in endpoint management, exploitation could undermine security monitoring and control capabilities, potentially delaying detection and response to other threats. The impact is particularly significant for organizations with large deployments or those operating in regulated sectors requiring strict access controls and uptime guarantees.

1. Upgrade Fleet installations to the fixed versions 4.78.3, 4.77.1, 4.76.2, 4.75.2, or 4.53.3 as soon as possible to eliminate the vulnerability. 2. If immediate upgrade is not possible, implement strict IP allowlisting to restrict access to debug and pprof endpoints only to trusted administrative networks or hosts. 3. Review and tighten authentication and authorization policies within Fleet to ensure that debug and profiling endpoints are not exposed to low-privilege users. 4. Monitor access logs for unusual or unauthorized access attempts to debug endpoints. 5. Employ network segmentation to isolate management interfaces from general user networks. 6. Conduct regular audits of user roles and permissions to minimize the number of users with authenticated access. 7. Consider deploying runtime application self-protection (RASP) or web application firewalls (WAF) to detect and block abnormal profiling requests. 8. Educate administrators and users about the risks of exposing debug endpoints and the importance of applying security patches promptly.