CVE-2026-24899: CWE-290: Authentication Bypass by Spoofing in fleetdm fleet
Fleet versions prior to 4. 82. 0 contain an authentication bypass vulnerability in the Windows MDM enrollment flow. The flaw allows acceptance of authentication tokens from any Azure AD tenant because Fleet validates JWT signatures using Microsoft's multi-tenant JWKS endpoint but does not enforce the 'aud' or 'iss' claims. This enables attackers with access to any Azure AD tenant to enroll unauthorized devices and interact with Fleet's MDM APIs, potentially exposing sensitive enrollment secrets. Version 4. 82. 0 includes a patch that addresses this issue. If upgrading immediately is not feasible, disabling Windows MDM is recommended as a temporary mitigation.
AI Analysis
Technical Summary
Fleet, an open source device management software, prior to version 4.82.0, improperly validates Azure AD JWT tokens by accepting any Microsoft-signed token with expected scopes regardless of the 'aud' (audience) or 'iss' (issuer) claims. This authentication bypass (CWE-290) affects the Windows MDM enrollment flow, allowing attackers with tokens from any Azure AD tenant to enroll unauthorized devices and access Fleet's MDM management APIs. Sensitive enrollment secrets may be exposed during device management. The vulnerability is patched in Fleet version 4.82.0. Fleet is a cloud service, and the vendor manages remediation for the cloud-hosted service.
Potential Impact
An attacker with access to any Azure AD tenant can obtain a valid Microsoft-signed token and use it to bypass authentication in Fleet's Windows MDM enrollment flow. This can lead to unauthorized device enrollment and interaction with Fleet's MDM management APIs. Sensitive enrollment secrets embedded in MDM command payloads may be exposed, increasing the risk of further unauthorized access. The CVSS 4.0 score is 8.2 (high severity), reflecting network attack vector, high complexity, and high impact on confidentiality.
Mitigation Recommendations
Fleet version 4.82.0 contains a patch that fixes this vulnerability. Users should upgrade to version 4.82.0 or later to remediate the issue. Since Fleet is a cloud service, the vendor manages remediation for the cloud-hosted service; users should consult the vendor advisory for confirmation. If immediate upgrade is not possible, affected users should temporarily disable Windows MDM to mitigate the risk.
CVE-2026-24899: CWE-290: Authentication Bypass by Spoofing in fleetdm fleet
Description
Fleet versions prior to 4. 82. 0 contain an authentication bypass vulnerability in the Windows MDM enrollment flow. The flaw allows acceptance of authentication tokens from any Azure AD tenant because Fleet validates JWT signatures using Microsoft's multi-tenant JWKS endpoint but does not enforce the 'aud' or 'iss' claims. This enables attackers with access to any Azure AD tenant to enroll unauthorized devices and interact with Fleet's MDM APIs, potentially exposing sensitive enrollment secrets. Version 4. 82. 0 includes a patch that addresses this issue. If upgrading immediately is not feasible, disabling Windows MDM is recommended as a temporary mitigation.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Fleet, an open source device management software, prior to version 4.82.0, improperly validates Azure AD JWT tokens by accepting any Microsoft-signed token with expected scopes regardless of the 'aud' (audience) or 'iss' (issuer) claims. This authentication bypass (CWE-290) affects the Windows MDM enrollment flow, allowing attackers with tokens from any Azure AD tenant to enroll unauthorized devices and access Fleet's MDM management APIs. Sensitive enrollment secrets may be exposed during device management. The vulnerability is patched in Fleet version 4.82.0. Fleet is a cloud service, and the vendor manages remediation for the cloud-hosted service.
Potential Impact
An attacker with access to any Azure AD tenant can obtain a valid Microsoft-signed token and use it to bypass authentication in Fleet's Windows MDM enrollment flow. This can lead to unauthorized device enrollment and interaction with Fleet's MDM management APIs. Sensitive enrollment secrets embedded in MDM command payloads may be exposed, increasing the risk of further unauthorized access. The CVSS 4.0 score is 8.2 (high severity), reflecting network attack vector, high complexity, and high impact on confidentiality.
Mitigation Recommendations
Fleet version 4.82.0 contains a patch that fixes this vulnerability. Users should upgrade to version 4.82.0 or later to remediate the issue. Since Fleet is a cloud service, the vendor manages remediation for the cloud-hosted service; users should consult the vendor advisory for confirmation. If immediate upgrade is not possible, affected users should temporarily disable Windows MDM to mitigate the risk.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-01-27T19:35:20.529Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
- Is Cloud Service
- true
Threat ID: 6a062489ec166c07b00b4bc0
Added to database: 5/14/2026, 7:37:45 PM
Last enriched: 5/14/2026, 7:53:42 PM
Last updated: 5/15/2026, 6:26:10 AM
Views: 24
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.