Fleet is an open source device management platform used to manage and monitor endpoint devices across organizations. Prior to version 4.81.0, Fleet contained a critical flaw in its user invitation acceptance process. When a user accepts an invitation to join Fleet, the system issues an invite token linked to a specific email address and role (e.g., global admin). However, the vulnerable versions did not verify that the email address submitted during acceptance matched the email address originally invited. This improper authentication (CWE-287) allowed an attacker who obtained a valid invite token—potentially through interception, social engineering, or insider threat—to register an account with any email address of their choosing. By doing so, the attacker inherits the privileges assigned to the invite, including potentially global administrative rights, enabling unauthorized access and control over the Fleet environment. The vulnerability is exploitable remotely over the network without requiring authentication or user interaction beyond possessing the invite token. The flaw impacts confidentiality and integrity by enabling privilege escalation and unauthorized account creation. The issue was addressed in Fleet version 4.81.0 by adding proper validation to ensure the email address during invite acceptance matches the invited email. No known exploits in the wild have been reported to date. The CVSS 4.0 vector indicates low attack complexity, no privileges required, no user interaction, and high impact on integrity, resulting in a medium severity rating with a base score of 4.9.

This vulnerability allows attackers to escalate privileges by creating accounts with arbitrary email addresses while inheriting roles assigned by valid invite tokens. For organizations using Fleet for device management, this can lead to unauthorized administrative access, enabling attackers to manipulate device configurations, access sensitive endpoint data, and potentially deploy malicious commands or software. The compromise of global admin accounts could result in full control over the Fleet management infrastructure, undermining endpoint security and visibility. Additionally, unauthorized account creation can disrupt audit trails and accountability. The impact extends to confidentiality, integrity, and availability of managed devices and organizational data. Since Fleet is used globally by enterprises and managed service providers, the risk is significant for organizations relying on it for endpoint security and compliance. Although no exploits are currently known in the wild, the ease of exploitation and potential damage warrant immediate remediation.

Organizations should upgrade Fleet installations to version 4.81.0 or later, where the vulnerability is patched by enforcing email address validation during invite acceptance. Until upgrading, administrators should restrict invite token distribution to trusted personnel only and monitor invite acceptance logs for anomalies such as mismatched email addresses or unexpected account creations. Implement network segmentation and access controls to limit exposure of Fleet management interfaces. Regularly audit user roles and permissions within Fleet to detect unauthorized privilege escalations. Employ multi-factor authentication (MFA) for administrative accounts to reduce risk from compromised credentials. Additionally, consider revoking and reissuing outstanding invite tokens issued before the patch to prevent misuse. Security teams should monitor for suspicious activity related to invite tokens and newly created accounts. Finally, maintain up-to-date backups and incident response plans to quickly recover from potential compromises.