CVE-2026-26061: CWE-770: Allocation of Resources Without Limits or Throttling in fleetdm fleet
Fleet is open source device management software. Prior to 4.81.0, Fleet contained multiple unauthenticated HTTP endpoints that read request bodies without enforcing a size limit. An unauthenticated attacker could exploit this behavior by sending large or repeated HTTP payloads, causing excessive memory allocation and resulting in a denial-of-service (DoS) condition. Version 4.81.0 patches the issue.
AI Analysis
Technical Summary
Fleet, an open source device management software, had a vulnerability (CVE-2026-26061) classified as CWE-770, involving allocation of resources without limits or throttling. Specifically, multiple unauthenticated HTTP endpoints in versions before 4.81.0 read request bodies without enforcing size limits. This flaw enables an unauthenticated attacker to send large or repeated HTTP payloads, resulting in excessive memory consumption and a denial-of-service condition. The vulnerability has a CVSS 4.0 score of 8.7 (high severity) and was patched in Fleet version 4.81.0.
Potential Impact
Exploitation of this vulnerability can cause Fleet instances running versions prior to 4.81.0 to consume excessive memory resources, leading to denial-of-service conditions. This can disrupt device management operations by making the service unavailable. No authenticated access or user interaction is required to trigger the issue.
Mitigation Recommendations
Upgrade Fleet to version 4.81.0 or later, where this vulnerability has been patched. Since this is a self-hosted product, applying the official fix is necessary to remediate the issue. There are no vendor advisories indicating alternative mitigations or that no action is required.
CVE-2026-26061: CWE-770: Allocation of Resources Without Limits or Throttling in fleetdm fleet
Description
Fleet is open source device management software. Prior to 4.81.0, Fleet contained multiple unauthenticated HTTP endpoints that read request bodies without enforcing a size limit. An unauthenticated attacker could exploit this behavior by sending large or repeated HTTP payloads, causing excessive memory allocation and resulting in a denial-of-service (DoS) condition. Version 4.81.0 patches the issue.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Fleet, an open source device management software, had a vulnerability (CVE-2026-26061) classified as CWE-770, involving allocation of resources without limits or throttling. Specifically, multiple unauthenticated HTTP endpoints in versions before 4.81.0 read request bodies without enforcing size limits. This flaw enables an unauthenticated attacker to send large or repeated HTTP payloads, resulting in excessive memory consumption and a denial-of-service condition. The vulnerability has a CVSS 4.0 score of 8.7 (high severity) and was patched in Fleet version 4.81.0.
Potential Impact
Exploitation of this vulnerability can cause Fleet instances running versions prior to 4.81.0 to consume excessive memory resources, leading to denial-of-service conditions. This can disrupt device management operations by making the service unavailable. No authenticated access or user interaction is required to trigger the issue.
Mitigation Recommendations
Upgrade Fleet to version 4.81.0 or later, where this vulnerability has been patched. Since this is a self-hosted product, applying the official fix is necessary to remediate the issue. There are no vendor advisories indicating alternative mitigations or that no action is required.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-02-10T18:01:31.900Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69c6d01e3c064ed76fe28e0b
Added to database: 3/27/2026, 6:44:46 PM
Last enriched: 4/4/2026, 10:56:15 AM
Last updated: 5/11/2026, 8:56:43 AM
Views: 39
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.