GHSA-4R5R-CCR6-Q6F6

Vulnerability from github – Published: 2026-01-20 20:55 – Updated: 2026-01-22 15:38
VLAI?
Summary
Fleet has an Access Control vulnerability in debug/pprof endpoints
Details

Summary

A broken access control issue in Fleet allowed authenticated users to access debug and profiling endpoints regardless of role. As a result, low-privilege users could view internal server diagnostics and trigger resource-intensive profiling operations.

Impact

Fleet’s debug/pprof endpoints are accessible to any authenticated user regardless of role, including the lowest-privilege “Observer” role. This allows low-privilege users to access sensitive server internals, including runtime profiling data and in-memory application state, and to trigger CPU-intensive profiling operations that could lead to denial of service.

Patches

  • 4.78.3
  • 4.77.1
  • 4.76.2
  • 4.75.2
  • 4.53.3

Workarounds

If an immediate upgrade is not possible, users should put the debug/pprof endpoints behind an IP allowlist.

For more information

If you have any questions or comments about this advisory:

Email us at security@fleetdm.com Join #fleet in osquery Slack

Credits

We thank @secfox-ai for responsibly reporting this issue.

Severity ?
7.1 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/fleetdm/fleet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.78.0"
            },
            {
              "fixed": "4.78.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/fleetdm/fleet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.77.0"
            },
            {
              "fixed": "4.77.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/fleetdm/fleet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.76.0"
            },
            {
              "fixed": "4.76.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/fleetdm/fleet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.75.0"
            },
            {
              "fixed": "4.75.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/fleetdm/fleet/v4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.78.3-0.20260112221730-5c030e32a3a9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-23517"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-20T20:55:14Z",
    "nvd_published_at": "2026-01-21T22:15:49Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nA broken access control issue in Fleet allowed authenticated users to access debug and profiling endpoints regardless of role. As a result, low-privilege users could view internal server diagnostics and trigger resource-intensive profiling operations.\n\n### Impact\n\nFleet\u2019s debug/pprof endpoints are accessible to any authenticated user regardless of role, including the lowest-privilege \u201cObserver\u201d role. This allows low-privilege users to access sensitive server internals, including runtime profiling data and in-memory application state, and to trigger CPU-intensive profiling operations that could lead to denial of service.\n\n### Patches\n\n- 4.78.3\n- 4.77.1\n- 4.76.2\n- 4.75.2\n- 4.53.3\n\n### Workarounds\n\nIf an immediate upgrade is not possible, users should put the debug/pprof endpoints behind an IP allowlist. \n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\nEmail us at [security@fleetdm.com](mailto:security@fleetdm.com)\nJoin #fleet in [osquery Slack](https://join.slack.com/t/osquery/shared_invite/zt-h29zm0gk-s2DBtGUTW4CFel0f0IjTEw)\n\n### Credits\n\nWe thank @secfox-ai for responsibly reporting this issue.",
  "id": "GHSA-4r5r-ccr6-q6f6",
  "modified": "2026-01-22T15:38:57Z",
  "published": "2026-01-20T20:55:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/fleetdm/fleet/security/advisories/GHSA-4r5r-ccr6-q6f6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23517"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fleetdm/fleet/commit/5c030e32a3a9bc512355b5e1bf19636e4e6d0317"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/fleetdm/fleet"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Fleet has an Access Control vulnerability in debug/pprof endpoints"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.