CVE-2026-26061 is a resource exhaustion vulnerability classified under CWE-770 (Allocation of Resources Without Limits or Throttling) affecting Fleet, an open-source device management platform. Prior to version 4.81.0, Fleet exposes multiple HTTP endpoints that do not enforce limits on the size of incoming request bodies. These endpoints are unauthenticated, meaning any remote attacker can send HTTP requests without credentials. By sending excessively large or repeated payloads, an attacker can cause the Fleet server to allocate large amounts of memory, overwhelming system resources. This results in a denial-of-service (DoS) condition, potentially crashing the service or severely degrading its performance. The vulnerability does not require any user interaction or authentication, increasing its risk. The CVSS 4.0 vector (AV:N/AC:L/AT:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N) indicates network attack vector, low complexity, no privileges or user interaction needed, and a high impact on availability. Although no known exploits are currently in the wild, the vulnerability's characteristics make it a significant risk for Fleet deployments. The issue was addressed in Fleet version 4.81.0 by implementing request size limits to prevent uncontrolled memory allocation.

The primary impact of CVE-2026-26061 is denial-of-service, which can disrupt device management operations relying on Fleet. Organizations using vulnerable versions may experience service outages or degraded performance due to memory exhaustion, affecting fleet visibility, device control, and security monitoring. This can hinder incident response and operational continuity, especially in environments managing large numbers of devices. The unauthenticated nature of the vulnerability means attackers can exploit it remotely without credentials, increasing the attack surface. In critical infrastructure or enterprises with extensive device fleets, such disruptions could lead to operational delays, increased risk exposure, and potential compliance issues. Although the vulnerability does not directly compromise confidentiality or integrity, the availability impact alone can have severe operational consequences.

To mitigate CVE-2026-26061, organizations should immediately upgrade Fleet to version 4.81.0 or later, where request size limits are enforced. Until upgrades are applied, network-level controls such as web application firewalls (WAFs) or reverse proxies should be configured to limit HTTP request body sizes and rate-limit requests to Fleet endpoints. Monitoring for unusual traffic patterns or spikes in request sizes can help detect attempted exploitation. Additionally, deploying Fleet behind VPNs or restricting access to trusted networks reduces exposure to unauthenticated attacks. Implementing resource usage monitoring and alerting on Fleet servers can provide early warning of potential DoS conditions. Regularly reviewing and applying security patches for Fleet and related infrastructure is critical to maintaining resilience against such vulnerabilities.