CVE-2026-27465: CWE-201: Insertion of Sensitive Information Into Sent Data in fleetdm fleet
Fleet is open source device management software. In versions prior to 4.80.1, a vulnerability in Fleet’s configuration API could expose Google Calendar service account credentials to authenticated users with low-privilege roles. This may allow unauthorized access to Google Calendar resources associated with the service account. Fleet returns configuration data through an API endpoint that is accessible to authenticated users, including those with the lowest-privilege “Observer” role. In affected versions, Google Calendar service account credentials were not properly obfuscated before being returned. As a result, a low-privilege user could retrieve the service account’s private key material. Depending on how the Google Calendar integration is configured, this could allow unauthorized access to calendar data or other Google Workspace resources associated with the service account. This issue does not allow escalation of privileges within Fleet or access to device management functionality. Version 4.80.1 patches the issue. If an immediate upgrade is not possible, administrators should remove the Google Calendar integration from Fleet and rotate the affected Google service account credentials.
AI Analysis
Technical Summary
Fleet is an open-source device management platform used to manage and monitor endpoints. In versions before 4.80.1, a vulnerability (CVE-2026-27465) exists in the configuration API that returns sensitive Google Calendar service account credentials to any authenticated user, including those assigned the lowest privilege role, 'Observer'. The API endpoint responsible for returning configuration data fails to obfuscate or redact the private key material associated with the Google Calendar service account. This flaw stems from CWE-201, which involves the insertion of sensitive information into sent data. As a result, low-privilege users can retrieve the private key and potentially use it to access Google Calendar resources or other Google Workspace assets linked to the compromised service account. Importantly, this vulnerability does not allow attackers to escalate privileges within Fleet or interfere with device management capabilities. The flaw is addressed in Fleet version 4.80.1, which properly restricts access to sensitive credentials. No known exploits are currently reported in the wild. The CVSS 4.0 base score is 1.3, reflecting low severity due to limited impact scope and the requirement for authenticated access.
Potential Impact
The primary impact is unauthorized disclosure of sensitive Google service account credentials to low-privilege authenticated users within Fleet. This could lead to unauthorized access to Google Calendar data or other Google Workspace resources associated with the service account, potentially exposing sensitive organizational scheduling information or other integrated data. However, since the vulnerability does not allow privilege escalation within Fleet or access to device management functions, the risk is contained to the Google Workspace environment linked to the service account. Organizations relying on Fleet’s Google Calendar integration could face confidentiality breaches of calendar data, which might affect operational security and privacy. The impact is mitigated if the Google Calendar integration is not used or if credentials are rotated promptly after exposure. The vulnerability requires authenticated access, limiting exposure to internal or trusted users with Fleet accounts.
Mitigation Recommendations
Administrators should upgrade Fleet to version 4.80.1 or later, which patches the vulnerability by properly restricting access to sensitive Google service account credentials. If immediate upgrading is not feasible, the Google Calendar integration should be disabled or removed from Fleet to prevent exposure. Additionally, affected Google service account credentials must be rotated immediately to invalidate any potentially compromised keys. Organizations should audit user roles and permissions within Fleet to ensure that only necessary users have access, minimizing the risk of credential exposure. Monitoring and logging access to the configuration API endpoint can help detect any unauthorized attempts to retrieve sensitive data. Finally, organizations should review their Google Workspace audit logs for unusual access patterns linked to the service account to identify potential misuse.
Affected Countries
United States, Canada, United Kingdom, Germany, France, Australia, Japan, South Korea, India, Netherlands
CVE-2026-27465: CWE-201: Insertion of Sensitive Information Into Sent Data in fleetdm fleet
Description
Fleet is open source device management software. In versions prior to 4.80.1, a vulnerability in Fleet’s configuration API could expose Google Calendar service account credentials to authenticated users with low-privilege roles. This may allow unauthorized access to Google Calendar resources associated with the service account. Fleet returns configuration data through an API endpoint that is accessible to authenticated users, including those with the lowest-privilege “Observer” role. In affected versions, Google Calendar service account credentials were not properly obfuscated before being returned. As a result, a low-privilege user could retrieve the service account’s private key material. Depending on how the Google Calendar integration is configured, this could allow unauthorized access to calendar data or other Google Workspace resources associated with the service account. This issue does not allow escalation of privileges within Fleet or access to device management functionality. Version 4.80.1 patches the issue. If an immediate upgrade is not possible, administrators should remove the Google Calendar integration from Fleet and rotate the affected Google service account credentials.
AI-Powered Analysis
Technical Analysis
Fleet is an open-source device management platform used to manage and monitor endpoints. In versions before 4.80.1, a vulnerability (CVE-2026-27465) exists in the configuration API that returns sensitive Google Calendar service account credentials to any authenticated user, including those assigned the lowest privilege role, 'Observer'. The API endpoint responsible for returning configuration data fails to obfuscate or redact the private key material associated with the Google Calendar service account. This flaw stems from CWE-201, which involves the insertion of sensitive information into sent data. As a result, low-privilege users can retrieve the private key and potentially use it to access Google Calendar resources or other Google Workspace assets linked to the compromised service account. Importantly, this vulnerability does not allow attackers to escalate privileges within Fleet or interfere with device management capabilities. The flaw is addressed in Fleet version 4.80.1, which properly restricts access to sensitive credentials. No known exploits are currently reported in the wild. The CVSS 4.0 base score is 1.3, reflecting low severity due to limited impact scope and the requirement for authenticated access.
Potential Impact
The primary impact is unauthorized disclosure of sensitive Google service account credentials to low-privilege authenticated users within Fleet. This could lead to unauthorized access to Google Calendar data or other Google Workspace resources associated with the service account, potentially exposing sensitive organizational scheduling information or other integrated data. However, since the vulnerability does not allow privilege escalation within Fleet or access to device management functions, the risk is contained to the Google Workspace environment linked to the service account. Organizations relying on Fleet’s Google Calendar integration could face confidentiality breaches of calendar data, which might affect operational security and privacy. The impact is mitigated if the Google Calendar integration is not used or if credentials are rotated promptly after exposure. The vulnerability requires authenticated access, limiting exposure to internal or trusted users with Fleet accounts.
Mitigation Recommendations
Administrators should upgrade Fleet to version 4.80.1 or later, which patches the vulnerability by properly restricting access to sensitive Google service account credentials. If immediate upgrading is not feasible, the Google Calendar integration should be disabled or removed from Fleet to prevent exposure. Additionally, affected Google service account credentials must be rotated immediately to invalidate any potentially compromised keys. Organizations should audit user roles and permissions within Fleet to ensure that only necessary users have access, minimizing the risk of credential exposure. Monitoring and logging access to the configuration API endpoint can help detect any unauthorized attempts to retrieve sensitive data. Finally, organizations should review their Google Workspace audit logs for unusual access patterns linked to the service account to identify potential misuse.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-02-19T17:25:31.101Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69a05b9eb7ef31ef0b68a604
Added to database: 2/26/2026, 2:41:34 PM
Last enriched: 2/26/2026, 2:57:52 PM
Last updated: 2/26/2026, 11:16:15 PM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-3268: Improper Access Controls in psi-probe PSI Probe
MediumCVE-2026-28280: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in jmpsec osctrl
MediumCVE-2026-28279: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in jmpsec osctrl
HighCVE-2026-28276: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in Morelitea initiative
HighCVE-2026-28275: CWE-613: Insufficient Session Expiration in Morelitea initiative
HighActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.