CVE-2026-46356: CWE-290: Authentication Bypass by Spoofing in fleetdm fleet
Fleet is open source device management software. Prior to version 4.80.1, a vulnerability in Fleet's IP extraction logic allows unauthenticated attackers to bypass API rate limiting by spoofing client IP headers. This may allow brute-force login attempts or other abuse against Fleet instances exposed to the public internet. Fleet extracted client IP addresses from request headers (`True-Client-IP`, `X-Real-IP`, `X-Forwarded-For`) without validating that those headers originate from a trusted proxy. The extracted IP is used as the key for rate limiting and IP ban decisions. As a result, an attacker could rotate the value of these headers on each request, causing Fleet to treat each attempt as coming from a different client. This effectively bypasses per-IP rate limits on sensitive endpoints such as the login API, enabling unrestricted brute-force or credential stuffing attacks. This issue primarily affects Fleet instances that are directly exposed to the internet without a reverse proxy that overwrites forwarded-IP headers. Instances behind a properly configured proxy or WAF are less affected. Version 4.80.1 contains a patch. If an immediate upgrade is not possible, administrators should ensure Fleet is deployed behind a reverse proxy (e.g., nginx, Cloudflare, AWS ALB) that overwrites `X-Forwarded-For` with the true client IP, and apply rate limiting at the proxy or WAF layer.
AI Analysis
Technical Summary
Fleet, an open source device management software, versions before 4.80.1 improperly extract client IP addresses from headers such as True-Client-IP, X-Real-IP, and X-Forwarded-For without validating their source. This allows unauthenticated attackers to spoof these headers and bypass per-IP API rate limiting and IP ban mechanisms. Consequently, attackers can perform unrestricted brute-force or credential stuffing attacks against Fleet APIs exposed to the internet. The vulnerability primarily affects instances not protected by reverse proxies or WAFs that overwrite these headers. Version 4.80.1 contains a patch that addresses this issue by correcting the IP extraction logic. If upgrading immediately is not feasible, deploying Fleet behind a reverse proxy that enforces correct client IP headers and rate limiting is recommended.
Potential Impact
Attackers can bypass API rate limiting and IP bans by spoofing client IP headers, enabling unlimited brute-force login attempts or other abusive actions on Fleet instances exposed directly to the internet. This can lead to unauthorized access if credentials are compromised. Instances behind properly configured proxies or WAFs are less impacted. There are no known exploits in the wild at this time.
Mitigation Recommendations
A patch is available in Fleet version 4.80.1 that fixes the IP extraction vulnerability. Administrators should upgrade to this version as soon as possible. If immediate upgrade is not possible, ensure Fleet is deployed behind a reverse proxy or WAF (e.g., nginx, Cloudflare, AWS ALB) that overwrites the X-Forwarded-For header with the true client IP and applies rate limiting at the proxy level. This mitigates the risk by preventing attackers from spoofing IP headers.
CVE-2026-46356: CWE-290: Authentication Bypass by Spoofing in fleetdm fleet
Description
Fleet is open source device management software. Prior to version 4.80.1, a vulnerability in Fleet's IP extraction logic allows unauthenticated attackers to bypass API rate limiting by spoofing client IP headers. This may allow brute-force login attempts or other abuse against Fleet instances exposed to the public internet. Fleet extracted client IP addresses from request headers (`True-Client-IP`, `X-Real-IP`, `X-Forwarded-For`) without validating that those headers originate from a trusted proxy. The extracted IP is used as the key for rate limiting and IP ban decisions. As a result, an attacker could rotate the value of these headers on each request, causing Fleet to treat each attempt as coming from a different client. This effectively bypasses per-IP rate limits on sensitive endpoints such as the login API, enabling unrestricted brute-force or credential stuffing attacks. This issue primarily affects Fleet instances that are directly exposed to the internet without a reverse proxy that overwrites forwarded-IP headers. Instances behind a properly configured proxy or WAF are less affected. Version 4.80.1 contains a patch. If an immediate upgrade is not possible, administrators should ensure Fleet is deployed behind a reverse proxy (e.g., nginx, Cloudflare, AWS ALB) that overwrites `X-Forwarded-For` with the true client IP, and apply rate limiting at the proxy or WAF layer.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Fleet, an open source device management software, versions before 4.80.1 improperly extract client IP addresses from headers such as True-Client-IP, X-Real-IP, and X-Forwarded-For without validating their source. This allows unauthenticated attackers to spoof these headers and bypass per-IP API rate limiting and IP ban mechanisms. Consequently, attackers can perform unrestricted brute-force or credential stuffing attacks against Fleet APIs exposed to the internet. The vulnerability primarily affects instances not protected by reverse proxies or WAFs that overwrite these headers. Version 4.80.1 contains a patch that addresses this issue by correcting the IP extraction logic. If upgrading immediately is not feasible, deploying Fleet behind a reverse proxy that enforces correct client IP headers and rate limiting is recommended.
Potential Impact
Attackers can bypass API rate limiting and IP bans by spoofing client IP headers, enabling unlimited brute-force login attempts or other abusive actions on Fleet instances exposed directly to the internet. This can lead to unauthorized access if credentials are compromised. Instances behind properly configured proxies or WAFs are less impacted. There are no known exploits in the wild at this time.
Mitigation Recommendations
A patch is available in Fleet version 4.80.1 that fixes the IP extraction vulnerability. Administrators should upgrade to this version as soon as possible. If immediate upgrade is not possible, ensure Fleet is deployed behind a reverse proxy or WAF (e.g., nginx, Cloudflare, AWS ALB) that overwrites the X-Forwarded-For header with the true client IP and applies rate limiting at the proxy level. This mitigates the risk by preventing attackers from spoofing IP headers.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-13T18:37:30.991Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
- Is Cloud Service
- true
Threat ID: 6a06248cec166c07b00b4c6c
Added to database: 5/14/2026, 7:37:48 PM
Last enriched: 5/14/2026, 7:52:46 PM
Last updated: 5/15/2026, 6:21:22 AM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.