DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-22808: Fleet MDM: When Text Templates Become Admin Account Takeovers

#security #cve #cybersecurity

Fleet MDM: When Text Templates Become Admin Account Takeovers

Vulnerability ID: CVE-2026-22808
CVSS Score: 6.1
Published: 2026-01-20

A classic tale of "wrong tool for the job" in the Go ecosystem led to a Reflected Cross-Site Scripting (XSS) vulnerability in Fleet's Windows MDM component. By confusing text generation with HTML rendering, developers inadvertently allowed attackers to inject malicious JavaScript via the appru parameter.

TL;DR

Fleet's Windows MDM authentication endpoint used Go's text/template engine instead of the secure html/template engine to render responses. This lack of contextual escaping allowed attackers to inject arbitrary JavaScript via the appru parameter. If an authenticated admin clicks a malicious link, their session can be hijacked.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-79 (Cross-site Scripting)
  • CVSS v3.1: 6.1 (Medium)
  • Attack Vector: Network (Reflected via URL)
  • Privileges Required: None (Target is the Admin)
  • User Interaction: Required (Phishing/Click)
  • Exploit Status: PoC Available

Affected Systems

  • Fleet (server) with Windows MDM enabled
  • Fleet: < 4.53.3 (Fixed in: 4.53.3)
  • Fleet: >= 4.54.0, < 4.75.2 (Fixed in: 4.75.2)
  • Fleet: >= 4.76.0, < 4.76.2 (Fixed in: 4.76.2)
  • Fleet: >= 4.77.0, < 4.77.1 (Fixed in: 4.77.1)
  • Fleet: >= 4.78.0, < 4.78.2 (Fixed in: 4.78.2)

Code Analysis

Commit: 0e6c790

Fixed reflected XSS in Windows MDM auth endpoint by switching to html/template and validating appru scheme

func isValidAppru(appru string) bool { ... }
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Manual Analysis: Payload constructed via analysis of patch diff: /api/v1/microsoft_mdm/mde/2/auth?appru=javascript:alert(1)

Mitigation Strategies

  • Input Validation: Ensure all URL parameters are parsed and validated against a strict allowlist of schemes (http, https).
  • Output Encoding: Always use context-aware templating engines (e.g., html/template in Go) for HTML content.
  • Content Security Policy (CSP): Implement strict CSP headers to prevent inline script execution and restrict data exfiltration.

Remediation Steps:

  1. Upgrade Fleet to version 4.78.2, 4.77.1, 4.76.2, 4.75.2, or 4.53.3 immediately.
  2. If upgrading is impossible, disable the Windows MDM feature in your Fleet configuration yaml.
  3. Rotate all administrator session tokens if you suspect compromise.

References

Read the full report for CVE-2026-22808 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)