CVE-2026-24004: CWE-862: Missing Authorization in fleetdm fleet
Fleet is open source device management software. In versions prior to 4.80.1, a vulnerability in Fleet’s Android MDM Pub/Sub handling could allow unauthenticated requests to trigger device unenrollment events. This may result in unauthorized removal of individual Android devices from Fleet management. If Android MDM is enabled, an attacker could send a crafted request to the Android Pub/Sub endpoint to unenroll a targeted Android device from Fleet without authentication. This issue does not grant access to Fleet, allow execution of commands, or provide visibility into device data. Impact is limited to disruption of Android device management for the affected device. Version 4.80.1 fixes the issue. If an immediate upgrade is not possible, affected Fleet users should temporarily disable Android MDM.
AI Analysis
Technical Summary
Fleet is an open source device management platform used to manage endpoints including Android devices via Mobile Device Management (MDM). In versions prior to 4.80.1, a missing authorization check in the Android MDM Pub/Sub endpoint allows unauthenticated requests to trigger device unenrollment events. Specifically, an attacker can craft and send requests to this endpoint to unenroll targeted Android devices from Fleet management without any authentication or user interaction. The vulnerability is classified under CWE-862 (Missing Authorization). While the attacker cannot gain access to the Fleet server, execute commands on devices, or access device data, the ability to unenroll devices disrupts device management capabilities, potentially impacting organizational control over Android endpoints. The flaw is addressed in Fleet version 4.80.1. If immediate patching is not feasible, disabling Android MDM functionality temporarily prevents exploitation.
Potential Impact
The primary impact is disruption of Android device management within organizations using Fleet for endpoint control. Unauthorized unenrollment removes devices from management, potentially leading to unmanaged devices that do not receive security policies, updates, or monitoring. This can increase the risk of device compromise or data leakage indirectly. However, since no direct access to Fleet or device data is gained, and no command execution is possible, the confidentiality and integrity impacts are minimal. Availability impact is limited to loss of management control over affected Android devices. Organizations relying heavily on Fleet for Android MDM may face operational challenges in maintaining device compliance and security posture until the vulnerability is remediated.
Mitigation Recommendations
Organizations should upgrade Fleet to version 4.80.1 or later as soon as possible to apply the official fix. If immediate upgrading is not possible, temporarily disabling the Android MDM feature in Fleet will prevent exploitation of this vulnerability. Additionally, monitoring network traffic to the Android MDM Pub/Sub endpoint for unusual or unauthorized requests can help detect exploitation attempts. Implementing network-level access controls to restrict access to Fleet management endpoints to trusted sources can further reduce risk. Regular audits of enrolled devices to detect unexpected unenrollments can aid in early detection of exploitation. Finally, educating security teams about this specific vulnerability ensures timely response and remediation.
Affected Countries
United States, Canada, United Kingdom, Germany, France, Australia, Japan, South Korea, India, Brazil
CVE-2026-24004: CWE-862: Missing Authorization in fleetdm fleet
Description
Fleet is open source device management software. In versions prior to 4.80.1, a vulnerability in Fleet’s Android MDM Pub/Sub handling could allow unauthenticated requests to trigger device unenrollment events. This may result in unauthorized removal of individual Android devices from Fleet management. If Android MDM is enabled, an attacker could send a crafted request to the Android Pub/Sub endpoint to unenroll a targeted Android device from Fleet without authentication. This issue does not grant access to Fleet, allow execution of commands, or provide visibility into device data. Impact is limited to disruption of Android device management for the affected device. Version 4.80.1 fixes the issue. If an immediate upgrade is not possible, affected Fleet users should temporarily disable Android MDM.
AI-Powered Analysis
Technical Analysis
Fleet is an open source device management platform used to manage endpoints including Android devices via Mobile Device Management (MDM). In versions prior to 4.80.1, a missing authorization check in the Android MDM Pub/Sub endpoint allows unauthenticated requests to trigger device unenrollment events. Specifically, an attacker can craft and send requests to this endpoint to unenroll targeted Android devices from Fleet management without any authentication or user interaction. The vulnerability is classified under CWE-862 (Missing Authorization). While the attacker cannot gain access to the Fleet server, execute commands on devices, or access device data, the ability to unenroll devices disrupts device management capabilities, potentially impacting organizational control over Android endpoints. The flaw is addressed in Fleet version 4.80.1. If immediate patching is not feasible, disabling Android MDM functionality temporarily prevents exploitation.
Potential Impact
The primary impact is disruption of Android device management within organizations using Fleet for endpoint control. Unauthorized unenrollment removes devices from management, potentially leading to unmanaged devices that do not receive security policies, updates, or monitoring. This can increase the risk of device compromise or data leakage indirectly. However, since no direct access to Fleet or device data is gained, and no command execution is possible, the confidentiality and integrity impacts are minimal. Availability impact is limited to loss of management control over affected Android devices. Organizations relying heavily on Fleet for Android MDM may face operational challenges in maintaining device compliance and security posture until the vulnerability is remediated.
Mitigation Recommendations
Organizations should upgrade Fleet to version 4.80.1 or later as soon as possible to apply the official fix. If immediate upgrading is not possible, temporarily disabling the Android MDM feature in Fleet will prevent exploitation of this vulnerability. Additionally, monitoring network traffic to the Android MDM Pub/Sub endpoint for unusual or unauthorized requests can help detect exploitation attempts. Implementing network-level access controls to restrict access to Fleet management endpoints to trusted sources can further reduce risk. Regular audits of enrolled devices to detect unexpected unenrollments can aid in early detection of exploitation. Finally, educating security teams about this specific vulnerability ensures timely response and remediation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-01-19T18:49:20.659Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69a05b9eb7ef31ef0b68a5fe
Added to database: 2/26/2026, 2:41:34 PM
Last enriched: 2/26/2026, 2:58:16 PM
Last updated: 2/26/2026, 11:13:47 PM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-3268: Improper Access Controls in psi-probe PSI Probe
MediumCVE-2026-28280: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in jmpsec osctrl
MediumCVE-2026-28279: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in jmpsec osctrl
HighCVE-2026-28276: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in Morelitea initiative
HighCVE-2026-28275: CWE-613: Insufficient Session Expiration in Morelitea initiative
HighActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.