CVE-2026-23518
JWT Signature Bypass in Fleet Windows MDM Enables Unauthorized Enrollment
Publication date: 2026-01-21
Last updated on: 2026-02-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fleetdm | fleet | to 4.53.3 (exc) |
| fleetdm | fleet | From 4.75.0 (inc) to 4.75.2 (exc) |
| fleetdm | fleet | From 4.76.0 (inc) to 4.76.2 (exc) |
| fleetdm | fleet | 4.77.0 |
| fleetdm | fleet | From 4.78.0 (inc) to 4.78.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-347 | The product does not verify, or incorrectly verifies, the cryptographic signature for data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Fleet's Windows MDM enrollment flow where attacker-submitted forged authentication tokens are not properly validated. Specifically, JWT signatures were not verified, allowing attackers to submit attacker-controlled identity claims. This flaw enables unauthorized devices to be enrolled under arbitrary Azure AD user identities.
How can this vulnerability impact me? :
The vulnerability can allow attackers to enroll unauthorized devices into the Fleet device management system under any Azure AD user identity. This could lead to unauthorized access, potential data breaches, and compromise of managed devices.
What immediate steps should I take to mitigate this vulnerability?
If an immediate upgrade to fixed versions (4.78.3, 4.77.1, 4.76.2, 4.75.2, or 4.53.3) is not possible, affected Fleet users should temporarily disable Windows MDM enrollment to mitigate the vulnerability.