GHSA-gm7f-v959-fr2g: Fleet DM Vulnerable to Cross-Team Policy Data Exposure via Global Policy Read Endpoint
A vulnerability in Fleet DM allows users with observer-level access on any single team to read policy details belonging to other teams via the global policy read endpoint. The authorization logic incorrectly permits access by checking against an empty policy with nil TeamID, and the database query does not filter by team ownership. This breaks Fleet's team isolation model, exposing sensitive policy data such as SQL queries, compliance counts, and associated software/script metadata across teams. The issue affects versions prior to 4.85.0. No known exploits in the wild have been reported.
AI Analysis
Technical Summary
The vulnerability exists in the global policy read endpoint (`GET /api/latest/fleet/policies/{policy_id}`) of Fleet DM where authorization is performed against an empty policy struct with a nil TeamID, allowing any user with observer-level access on any team to bypass team isolation. The database fetch does not filter policies by team ownership when TeamID is nil, returning any policy by ID regardless of team. This allows unauthorized reading of policies belonging to other teams. Properly secured endpoints enforce team scope checks, but this endpoint lacks a post-fetch verification to confirm the policy is global (TeamID nil).
Potential Impact
An authenticated user with observer-level access on a single team can read SQL queries, compliance pass/fail counts, software installer details, and script metadata from policies belonging to other teams. This exposure leaks sensitive security monitoring and compliance information across team boundaries, violating the intended team isolation model and potentially revealing internal infrastructure and security posture details.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The recommended fix is to add a post-fetch check in the vulnerable endpoint to verify that the returned policy is actually a global policy (with nil TeamID), consistent with other endpoints that enforce team scope. Until a patch is available, restrict observer-level access carefully and monitor for unauthorized access attempts.
GHSA-gm7f-v959-fr2g: Fleet DM Vulnerable to Cross-Team Policy Data Exposure via Global Policy Read Endpoint
Description
A vulnerability in Fleet DM allows users with observer-level access on any single team to read policy details belonging to other teams via the global policy read endpoint. The authorization logic incorrectly permits access by checking against an empty policy with nil TeamID, and the database query does not filter by team ownership. This breaks Fleet's team isolation model, exposing sensitive policy data such as SQL queries, compliance counts, and associated software/script metadata across teams. The issue affects versions prior to 4.85.0. No known exploits in the wild have been reported.
CVSS v3.1
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability exists in the global policy read endpoint (`GET /api/latest/fleet/policies/{policy_id}`) of Fleet DM where authorization is performed against an empty policy struct with a nil TeamID, allowing any user with observer-level access on any team to bypass team isolation. The database fetch does not filter policies by team ownership when TeamID is nil, returning any policy by ID regardless of team. This allows unauthorized reading of policies belonging to other teams. Properly secured endpoints enforce team scope checks, but this endpoint lacks a post-fetch verification to confirm the policy is global (TeamID nil).
Potential Impact
An authenticated user with observer-level access on a single team can read SQL queries, compliance pass/fail counts, software installer details, and script metadata from policies belonging to other teams. This exposure leaks sensitive security monitoring and compliance information across team boundaries, violating the intended team isolation model and potentially revealing internal infrastructure and security posture details.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The recommended fix is to add a post-fetch check in the vulnerable endpoint to verify that the returned policy is actually a global policy (with nil TeamID), consistent with other endpoints that enforce team scope. Until a patch is available, restrict observer-level access carefully and monitor for unauthorized access attempts.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-gm7f-v959-fr2g
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-41262"]
- Ecosystems
- ["Go"]
- Database Specific Severity
- MODERATE
- Cvss Version
- 3.1
Threat ID: 6a3ef76c27e9c79719fee88b
Added to database: 06/26/2026, 22:04:28 UTC
Last enriched: 06/26/2026, 22:08:53 UTC
Last updated: 06/27/2026, 04:17:38 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.