CVE-2026-23517
Unknown Unknown - Not Provided
Broken Access Control in Fleet Debug Endpoints Allows DoS

Publication date: 2026-01-21

Last updated on: 2026-02-27

Assigner: GitHub, Inc.

Description
Fleet is open source device management software. A broken access control issue in versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 allowed authenticated users to access debug and profiling endpoints regardless of role. As a result, low-privilege users could view internal server diagnostics and trigger resource-intensive profiling operations. Fleet’s debug/pprof endpoints are accessible to any authenticated user regardless of role, including the lowest-privilege β€œObserver” role. This allows low-privilege users to access sensitive server internals, including runtime profiling data and in-memory application state, and to trigger CPU-intensive profiling operations that could lead to denial of service. Versions 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 fix the issue. If an immediate upgrade is not possible, users should put the debug/pprof endpoints behind an IP allowlist as a workaround.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-21
Last Modified
2026-02-27
Generated
2026-06-16
AI Q&A
2026-01-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23517
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
fleetdm fleet to 4.53.3 (exc)
fleetdm fleet From 4.75.0 (inc) to 4.75.2 (exc)
fleetdm fleet From 4.76.0 (inc) to 4.76.2 (exc)
fleetdm fleet 4.77.0
fleetdm fleet From 4.78.0 (inc) to 4.78.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a broken access control issue in Fleet, an open source device management software. It allows authenticated users, even those with the lowest privilege level (Observer role), to access debug and profiling endpoints that should be restricted. These endpoints expose sensitive internal server diagnostics, runtime profiling data, and in-memory application state. Additionally, users can trigger CPU-intensive profiling operations through these endpoints.

Impact Analysis

The vulnerability can impact you by allowing low-privilege users to access sensitive server internals and runtime data that they should not see. They can also trigger resource-intensive profiling operations that may lead to denial of service by overloading the server's CPU resources.

Detection Guidance

You can detect this vulnerability by checking if the Fleet debug/pprof endpoints are accessible to low-privilege authenticated users. Specifically, verify if users with the Observer role can access debug or profiling endpoints such as /debug/pprof. Commands to test this could include using curl or similar tools to authenticate as a low-privilege user and attempt to access these endpoints, for example: curl -u observer_user:password http://fleet-server/debug/pprof/. If access is granted, the system is vulnerable.

Mitigation Strategies

The immediate mitigation steps are to upgrade Fleet to one of the fixed versions: 4.78.3, 4.77.1, 4.76.2, 4.75.2, or 4.53.3. If an immediate upgrade is not possible, you should put the debug/pprof endpoints behind an IP allowlist to restrict access only to trusted IP addresses, preventing low-privilege users from accessing these sensitive endpoints.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23517. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart