CVE-2026-26060 is a vulnerability classified under CWE-613 (Insufficient Session Expiration) affecting Fleet, an open source device management platform widely used for endpoint management and security monitoring. Prior to version 4.81.0, Fleet's password management logic failed to invalidate previously issued password reset tokens after a user changed their password. This means that any stale password reset token remained valid and could be reused by an attacker to reset the account password, effectively bypassing the security benefit of a password change. The vulnerability requires an attacker to have access to a previously issued reset token and at least low-level privileges (authenticated user), but no user interaction is required. The flaw impacts the confidentiality and integrity of user accounts by allowing unauthorized password resets, potentially leading to account takeover. The CVSS 4.0 base score is 6.0 (medium severity), reflecting network attack vector, low attack complexity, partial impact on confidentiality and integrity, and no impact on availability. The issue was patched in Fleet version 4.81.0 by ensuring that password reset tokens are properly invalidated immediately after a password change, preventing reuse of stale tokens. No known exploits in the wild have been reported as of the publication date. Organizations relying on Fleet for device management should prioritize upgrading to the patched version to mitigate this risk.

The vulnerability allows attackers who have obtained a previously issued password reset token to reset user account passwords even after the legitimate user has changed their password. This undermines the security of password reset mechanisms, potentially leading to unauthorized account access and privilege escalation within Fleet-managed environments. Such unauthorized access could allow attackers to manipulate device management operations, access sensitive endpoint data, or disrupt security monitoring processes. The impact is primarily on confidentiality and integrity, as attackers can gain control over user accounts and potentially the managed devices. The scope is limited to Fleet deployments running versions prior to 4.81.0. While no availability impact is noted, the breach of account security could lead to broader organizational risks, especially in environments where Fleet is integrated with critical infrastructure or sensitive data management. The medium severity rating reflects the need for authentication and possession of a reset token, which limits exploitation but does not eliminate risk, especially in environments with weak token protection or insider threats.

1. Upgrade Fleet to version 4.81.0 or later immediately to ensure the vulnerability is patched. 2. Review and enhance password reset token management policies to ensure tokens are single-use and expire promptly after password changes. 3. Implement monitoring and alerting for unusual password reset activities or multiple reset attempts using the same token. 4. Enforce strict access controls and audit logging around password reset token issuance and usage to detect potential misuse. 5. Educate users and administrators on the importance of safeguarding password reset tokens and recognizing suspicious account activities. 6. Consider integrating multi-factor authentication (MFA) for account recovery processes to add an additional security layer. 7. Regularly audit Fleet deployments for outdated versions and enforce patch management policies to reduce exposure to known vulnerabilities. 8. If possible, invalidate all outstanding password reset tokens during emergency password changes or suspected compromise events.