CVE-2026-23999
Predictable PIN Generation in Fleet Device Lock Enables PIN Guessing
Publication date: 2026-02-26
Last updated on: 2026-03-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fleetdm | fleet | to 4.80.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-330 | The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation step is to upgrade Fleet to version 4.80.1 or later, where the vulnerability has been patched.
No known workarounds are available for this issue.
Because exploitation requires physical access and knowledge of the approximate lock time, limiting physical access to devices and monitoring device lock events can also help reduce risk.
Can you explain this vulnerability to me?
CVE-2026-23999 is a vulnerability in Fleet, an open source device management software, affecting versions prior to 4.80.1. The issue arises because Fleet generates device lock and wipe PINs using a predictable algorithm based solely on the current Unix timestamp without any secret key or additional randomness.
This means the 6-digit PIN displayed to administrators for unlocking a device can potentially be predicted by an attacker who has physical access to the locked device and knows approximately when the device was locked.
However, exploitation is limited because the attacker needs physical access, must know the approximate lock time, and the operating system rate limits PIN entry attempts. Also, device wipe operations usually complete before enough attempts can be made to guess the PIN.
The vulnerability is fixed in Fleet version 4.80.1.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "If exploited, this vulnerability could allow an attacker with physical possession of a locked device and knowledge of the approximate lock time to predict the device's lock or wipe PIN."}, {'type': 'paragraph', 'content': 'This could potentially enable unauthorized unlocking or wiping of the device.'}, {'type': 'paragraph', 'content': 'However, the impact is limited because the attacker must have physical access, know the approximate lock time, and overcome operating system rate limiting on PIN attempts.'}, {'type': 'paragraph', 'content': 'Remote exploitation or broader compromise of Fleet or its authentication controls is not possible through this vulnerability.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the generation of device lock and wipe PINs using a predictable algorithm based solely on the current Unix timestamp in Fleet versions prior to 4.80.1.
Detection would require verifying the Fleet software version in use to determine if it is prior to 4.80.1, as the vulnerability is tied to those versions.
There are no specific commands or network detection methods provided to detect the vulnerability or exploit attempts, as exploitation requires physical access to the locked device and knowledge of the approximate lock time.
Therefore, checking the Fleet version installed on your system is the primary method to detect if you are vulnerable.