CVE-2026-23998: CWE-295: Improper Certificate Validation in fleetdm fleet
Fleet is open source device management software. Prior to version 4.81.0, a vulnerability in Fleet’s Windows MDM management endpoint could allow requests to be processed without proper client certificate validation. In certain circumstances, this could allow an attacker to impersonate an enrolled Windows device and retrieve sensitive configuration data. Fleet’s Windows MDM management endpoint relies on mutual TLS (mTLS) client certificates to authenticate enrolled devices. In affected versions, requests that did not present a client certificate could be incorrectly treated as trusted. As a result, an attacker with prior knowledge of a valid enrolled device identifier could potentially impersonate that device and receive configuration payloads intended for it. These payloads may contain sensitive information such as Wi-Fi or VPN configuration data, certificates, or other secrets delivered through MDM profiles. This issue does not allow enrollment of new devices, administrative access to Fleet, or compromise of the Fleet control plane. Impact is limited to the targeted Windows device. Version 4.81.0 contains a patch. If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM.
AI Analysis
Technical Summary
Fleet, an open source device management software, had a security vulnerability (CVE-2026-23998) in its Windows MDM management endpoint prior to version 4.81.0. The endpoint relies on mutual TLS client certificates for device authentication, but due to improper certificate validation, requests lacking client certificates could be mistakenly accepted as trusted. This allowed attackers with prior knowledge of a valid enrolled device identifier to impersonate that device and access sensitive configuration payloads delivered via MDM profiles. The vulnerability is limited to the targeted Windows device and does not affect Fleet’s control plane or allow administrative access. The issue is addressed in Fleet version 4.81.0.
Potential Impact
An attacker who knows a valid enrolled Windows device identifier can impersonate that device to retrieve sensitive configuration data such as Wi-Fi and VPN configurations, certificates, and other secrets delivered through MDM profiles. This exposure is limited to the targeted device and does not enable enrollment of new devices, administrative access, or compromise of the Fleet control plane. The CVSS 4.0 score is 8.2, indicating a high severity vulnerability with network attack vector and high impact on confidentiality.
Mitigation Recommendations
Fleet version 4.81.0 contains a patch that fixes this vulnerability and should be applied to affected systems. If upgrading immediately is not possible, users should temporarily disable the Windows MDM functionality to prevent exploitation. There is no indication that other mitigations or workarounds are available or recommended.
CVE-2026-23998: CWE-295: Improper Certificate Validation in fleetdm fleet
Description
Fleet is open source device management software. Prior to version 4.81.0, a vulnerability in Fleet’s Windows MDM management endpoint could allow requests to be processed without proper client certificate validation. In certain circumstances, this could allow an attacker to impersonate an enrolled Windows device and retrieve sensitive configuration data. Fleet’s Windows MDM management endpoint relies on mutual TLS (mTLS) client certificates to authenticate enrolled devices. In affected versions, requests that did not present a client certificate could be incorrectly treated as trusted. As a result, an attacker with prior knowledge of a valid enrolled device identifier could potentially impersonate that device and receive configuration payloads intended for it. These payloads may contain sensitive information such as Wi-Fi or VPN configuration data, certificates, or other secrets delivered through MDM profiles. This issue does not allow enrollment of new devices, administrative access to Fleet, or compromise of the Fleet control plane. Impact is limited to the targeted Windows device. Version 4.81.0 contains a patch. If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Fleet, an open source device management software, had a security vulnerability (CVE-2026-23998) in its Windows MDM management endpoint prior to version 4.81.0. The endpoint relies on mutual TLS client certificates for device authentication, but due to improper certificate validation, requests lacking client certificates could be mistakenly accepted as trusted. This allowed attackers with prior knowledge of a valid enrolled device identifier to impersonate that device and access sensitive configuration payloads delivered via MDM profiles. The vulnerability is limited to the targeted Windows device and does not affect Fleet’s control plane or allow administrative access. The issue is addressed in Fleet version 4.81.0.
Potential Impact
An attacker who knows a valid enrolled Windows device identifier can impersonate that device to retrieve sensitive configuration data such as Wi-Fi and VPN configurations, certificates, and other secrets delivered through MDM profiles. This exposure is limited to the targeted device and does not enable enrollment of new devices, administrative access, or compromise of the Fleet control plane. The CVSS 4.0 score is 8.2, indicating a high severity vulnerability with network attack vector and high impact on confidentiality.
Mitigation Recommendations
Fleet version 4.81.0 contains a patch that fixes this vulnerability and should be applied to affected systems. If upgrading immediately is not possible, users should temporarily disable the Windows MDM functionality to prevent exploitation. There is no indication that other mitigations or workarounds are available or recommended.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-01-19T18:49:20.658Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a06e21bec166c07b0e8f06f
Added to database: 5/15/2026, 9:06:35 AM
Last enriched: 5/15/2026, 9:08:22 AM
Last updated: 5/16/2026, 6:26:55 AM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.