GHSA-GM7F-V959-FR2G

Vulnerability from github – Published: 2026-06-26 20:30 – Updated: 2026-06-26 20:30
VLAI
Summary
Fleet DM Vulnerable to Cross-Team Policy Data Exposure via Global Policy Read Endpoint
Details

Summary

The global policy read endpoint (GET /api/latest/fleet/policies/{policy_id}) performs authorization against an empty fleet.Policy{} struct with nil TeamID, then fetches any policy by ID from the database without verifying the fetched policy actually belongs to the global scope. This allows a user with observer-level access on any single team to read the full details of policies belonging to any other team, bypassing Fleet's team isolation model.

Details

The vulnerability is in GetPolicyByIDQueries at server/service/global_policies.go:163-180:

func (svc Service) GetPolicyByIDQueries(ctx context.Context, policyID uint) (*fleet.Policy, error) {
    // Auth check uses empty Policy{} — TeamID is nil
    if err := svc.authz.Authorize(ctx, &fleet.Policy{}, fleet.ActionRead); err != nil {
        return nil, err
    }

    // Fetches ANY policy by ID, regardless of team ownership
    policy, err := svc.ds.Policy(ctx, policyID)
    if err != nil {
        return nil, err
    }
    // ... populates install_software and run_script, returns full policy
    return policy, nil
}

The authorization passes because the OPA rule at server/authz/policy.rego:724-728 allows reading policies with null team_id for any user who holds a role on any team:

allow {
  is_null(object.team_id)
  object.type == "policy"
  team_role(subject, subject.teams[_].id) == [admin, maintainer, technician, observer, observer_plus][_]
  action == read
}

Since the auth object has nil TeamID, this rule fires for any team member. After authorization, ds.Policy() calls policyDB() at server/datastore/mysql/policies.go:283-288 with a nil teamID:

func policyDB(ctx context.Context, q sqlx.QueryerContext, id uint, teamID *uint) (*fleet.Policy, error) {
    teamWhere := "TRUE"  // nil teamID → no team filter
    args := []interface{}{id}
    if teamID != nil {
        teamWhere = "team_id = ?"
        args = append(args, *teamID)
    }
    // ... executes SELECT with WHERE p.id = ? AND {teamWhere}

This returns any policy regardless of team ownership, and the full policy object is returned to the caller without any post-fetch team verification.

By contrast, the properly-secured endpoints verify team scope: - GetTeamPolicyByIDQueries (team_policies.go:421-428) sets TeamID: ptr.Uint(teamID) on the auth object and calls ds.TeamPolicy() which filters by team - DeleteGlobalPolicies (global_policies.go:255-263) explicitly checks policy.PolicyData.TeamID != nil after fetching

PoC

Prerequisites: A Fleet instance with at least two teams. User A has observer role on Team 1 only. Team 2 has policies that User A should not be able to view.

# Step 1: Authenticate as User A (Team 1 observer only)
TOKEN=$(curl -s -X POST https://fleet.example.com/api/latest/fleet/login \
  -H 'Content-Type: application/json' \
  -d '{"email":"team1observer@example.com","password":"password"}' | jq -r '.token')

# Step 2: Enumerate policy IDs (they are sequential integers)
# Attempt to read a policy belonging to Team 2 (e.g., policy ID 5)
curl -s -H "Authorization: Bearer $TOKEN" \
  https://fleet.example.com/api/latest/fleet/policies/5

# Expected: 403 Forbidden (user has no access to Team 2)
# Actual: 200 OK with full policy data:
# {
#   "policy": {
#     "id": 5,
#     "name": "Team 2 Sensitive Policy",
#     "query": "SELECT * FROM sensitive_table WHERE ...",
#     "team_id": 2,
#     "passing_host_count": 42,
#     "failing_host_count": 7,
#     "description": "...",
#     "resolution": "...",
#     ...
#   }
# }

Impact

An authenticated user with observer-level access on any single team can:

  • Read SQL queries from all team policies across the Fleet instance, potentially revealing security monitoring strategies, compliance checks, and internal infrastructure details
  • View host pass/fail counts for other teams' policies, leaking compliance posture data across team boundaries
  • Access software installer and script metadata associated with other teams' policies via the populatePolicyInstallSoftware and populatePolicyRunScript calls
  • Enumerate all policies by iterating sequential integer IDs

This breaks Fleet's team isolation model, which is designed to restrict visibility between teams. Organizations using teams to separate departments, clients, or security zones would have their policy data exposed across boundaries.

Recommended Fix

Add a post-fetch check in GetPolicyByIDQueries to verify the returned policy is actually a global policy (nil TeamID), consistent with how DeleteGlobalPolicies operates:

func (svc Service) GetPolicyByIDQueries(ctx context.Context, policyID uint) (*fleet.Policy, error) {
    if err := svc.authz.Authorize(ctx, &fleet.Policy{}, fleet.ActionRead); err != nil {
        return nil, err
    }

    policy, err := svc.ds.Policy(ctx, policyID)
    if err != nil {
        return nil, err
    }

    // Verify this is actually a global policy — team policies must be
    // accessed via the team-scoped endpoint which enforces team authorization
    if policy.TeamID != nil {
        return nil, authz.ForbiddenWithInternal(
            "attempting to read team policy via global endpoint",
            authz.UserFromContext(ctx),
            policy,
            fleet.ActionRead,
        )
    }

    if err := svc.populatePolicyInstallSoftware(ctx, policy); err != nil {
        return nil, ctxerr.Wrap(ctx, err, "populate install_software")
    }
    if err := svc.populatePolicyRunScript(ctx, policy); err != nil {
        return nil, ctxerr.Wrap(ctx, err, "populate run_script")
    }

    return policy, nil
}

Alternatively, re-authorize against the actual fetched policy object so OPA rules properly evaluate team membership, similar to how other Fleet endpoints handle object-level authorization.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/fleetdm/fleet/v4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.85.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41262"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-26T20:30:27Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe global policy read endpoint (`GET /api/latest/fleet/policies/{policy_id}`) performs authorization against an empty `fleet.Policy{}` struct with nil TeamID, then fetches any policy by ID from the database without verifying the fetched policy actually belongs to the global scope. This allows a user with observer-level access on any single team to read the full details of policies belonging to any other team, bypassing Fleet\u0027s team isolation model.\n\n## Details\n\nThe vulnerability is in `GetPolicyByIDQueries` at `server/service/global_policies.go:163-180`:\n\n```go\nfunc (svc Service) GetPolicyByIDQueries(ctx context.Context, policyID uint) (*fleet.Policy, error) {\n\t// Auth check uses empty Policy{} \u2014 TeamID is nil\n\tif err := svc.authz.Authorize(ctx, \u0026fleet.Policy{}, fleet.ActionRead); err != nil {\n\t\treturn nil, err\n\t}\n\n\t// Fetches ANY policy by ID, regardless of team ownership\n\tpolicy, err := svc.ds.Policy(ctx, policyID)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\t// ... populates install_software and run_script, returns full policy\n\treturn policy, nil\n}\n```\n\nThe authorization passes because the OPA rule at `server/authz/policy.rego:724-728` allows reading policies with null `team_id` for any user who holds a role on any team:\n\n```rego\nallow {\n  is_null(object.team_id)\n  object.type == \"policy\"\n  team_role(subject, subject.teams[_].id) == [admin, maintainer, technician, observer, observer_plus][_]\n  action == read\n}\n```\n\nSince the auth object has nil TeamID, this rule fires for any team member. After authorization, `ds.Policy()` calls `policyDB()` at `server/datastore/mysql/policies.go:283-288` with a nil teamID:\n\n```go\nfunc policyDB(ctx context.Context, q sqlx.QueryerContext, id uint, teamID *uint) (*fleet.Policy, error) {\n\tteamWhere := \"TRUE\"  // nil teamID \u2192 no team filter\n\targs := []interface{}{id}\n\tif teamID != nil {\n\t\tteamWhere = \"team_id = ?\"\n\t\targs = append(args, *teamID)\n\t}\n\t// ... executes SELECT with WHERE p.id = ? AND {teamWhere}\n```\n\nThis returns any policy regardless of team ownership, and the full policy object is returned to the caller without any post-fetch team verification.\n\nBy contrast, the properly-secured endpoints verify team scope:\n- `GetTeamPolicyByIDQueries` (`team_policies.go:421-428`) sets `TeamID: ptr.Uint(teamID)` on the auth object and calls `ds.TeamPolicy()` which filters by team\n- `DeleteGlobalPolicies` (`global_policies.go:255-263`) explicitly checks `policy.PolicyData.TeamID != nil` after fetching\n\n## PoC\n\nPrerequisites: A Fleet instance with at least two teams. User A has observer role on Team 1 only. Team 2 has policies that User A should not be able to view.\n\n```bash\n# Step 1: Authenticate as User A (Team 1 observer only)\nTOKEN=$(curl -s -X POST https://fleet.example.com/api/latest/fleet/login \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  -d \u0027{\"email\":\"team1observer@example.com\",\"password\":\"password\"}\u0027 | jq -r \u0027.token\u0027)\n\n# Step 2: Enumerate policy IDs (they are sequential integers)\n# Attempt to read a policy belonging to Team 2 (e.g., policy ID 5)\ncurl -s -H \"Authorization: Bearer $TOKEN\" \\\n  https://fleet.example.com/api/latest/fleet/policies/5\n\n# Expected: 403 Forbidden (user has no access to Team 2)\n# Actual: 200 OK with full policy data:\n# {\n#   \"policy\": {\n#     \"id\": 5,\n#     \"name\": \"Team 2 Sensitive Policy\",\n#     \"query\": \"SELECT * FROM sensitive_table WHERE ...\",\n#     \"team_id\": 2,\n#     \"passing_host_count\": 42,\n#     \"failing_host_count\": 7,\n#     \"description\": \"...\",\n#     \"resolution\": \"...\",\n#     ...\n#   }\n# }\n```\n\n## Impact\n\nAn authenticated user with observer-level access on any single team can:\n\n- **Read SQL queries** from all team policies across the Fleet instance, potentially revealing security monitoring strategies, compliance checks, and internal infrastructure details\n- **View host pass/fail counts** for other teams\u0027 policies, leaking compliance posture data across team boundaries\n- **Access software installer and script metadata** associated with other teams\u0027 policies via the `populatePolicyInstallSoftware` and `populatePolicyRunScript` calls\n- **Enumerate all policies** by iterating sequential integer IDs\n\nThis breaks Fleet\u0027s team isolation model, which is designed to restrict visibility between teams. Organizations using teams to separate departments, clients, or security zones would have their policy data exposed across boundaries.\n\n## Recommended Fix\n\nAdd a post-fetch check in `GetPolicyByIDQueries` to verify the returned policy is actually a global policy (nil TeamID), consistent with how `DeleteGlobalPolicies` operates:\n\n```go\nfunc (svc Service) GetPolicyByIDQueries(ctx context.Context, policyID uint) (*fleet.Policy, error) {\n\tif err := svc.authz.Authorize(ctx, \u0026fleet.Policy{}, fleet.ActionRead); err != nil {\n\t\treturn nil, err\n\t}\n\n\tpolicy, err := svc.ds.Policy(ctx, policyID)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\t// Verify this is actually a global policy \u2014 team policies must be\n\t// accessed via the team-scoped endpoint which enforces team authorization\n\tif policy.TeamID != nil {\n\t\treturn nil, authz.ForbiddenWithInternal(\n\t\t\t\"attempting to read team policy via global endpoint\",\n\t\t\tauthz.UserFromContext(ctx),\n\t\t\tpolicy,\n\t\t\tfleet.ActionRead,\n\t\t)\n\t}\n\n\tif err := svc.populatePolicyInstallSoftware(ctx, policy); err != nil {\n\t\treturn nil, ctxerr.Wrap(ctx, err, \"populate install_software\")\n\t}\n\tif err := svc.populatePolicyRunScript(ctx, policy); err != nil {\n\t\treturn nil, ctxerr.Wrap(ctx, err, \"populate run_script\")\n\t}\n\n\treturn policy, nil\n}\n```\n\nAlternatively, re-authorize against the actual fetched policy object so OPA rules properly evaluate team membership, similar to how other Fleet endpoints handle object-level authorization.",
  "id": "GHSA-gm7f-v959-fr2g",
  "modified": "2026-06-26T20:30:27Z",
  "published": "2026-06-26T20:30:27Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/fleetdm/fleet/security/advisories/GHSA-gm7f-v959-fr2g"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/fleetdm/fleet"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Fleet DM Vulnerable to Cross-Team Policy Data Exposure via Global Policy Read Endpoint"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…