DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-23518: Fleet Fiasco: The Unverified JWT That Opened the Gates

#security #cve #cybersecurity

Fleet Fiasco: The Unverified JWT That Opened the Gates

Vulnerability ID: CVE-2026-23518
CVSS Score: 8.8
Published: 2026-01-20

A critical authentication bypass in Fleet Device Management's Windows MDM enrollment flow allows attackers to spoof Azure AD identities by submitting unsigned or maliciously crafted JWTs.

TL;DR

Fleet DM improperly handled Azure AD tokens during Windows device enrollment. Instead of verifying cryptographic signatures, the server blindly accepted the claims inside the token using ParseUnverified. This allows an attacker to craft a fake token, impersonate any user or tenant, and enroll unauthorized devices into the management fleet without valid credentials.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-347
  • Attack Vector: Network
  • CVSS: 8.8 (High)
  • Impact: Authentication Bypass / Identity Spoofing
  • Component: server/mdm/microsoft/wstep.go
  • Exploit Status: PoC Available

Affected Systems

  • Fleet Device Management (Server)
  • Windows MDM Enrollment Endpoints
  • Fleet: < Jan 2026 Patch (Fixed in: Commit e225ef5)

Code Analysis

Commit: e225ef5

Fixed proper verification of Azure auth tokens in MDM flow

@@ -12,7 +12,7 @@
- token, _, err := new(jwt.Parser).ParseUnverified(string(tokenBytes), jwt.MapClaims{})
+ token, err := jwt.Parse(string(tokenBytes), func(token *jwt.Token) (interface{}, error) { ...
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Internal Research: Exploitation involves sending a JWT with 'none' alg or arbitrary signature to the /enroll endpoint.

Mitigation Strategies

  • Upgrade Fleet Device Management to the latest version immediately.
  • Enforce JWT signature verification for all authentication flows.
  • Use OpenID Connect (OIDC) discovery endpoints to dynamically fetch and rotate public keys.

Remediation Steps:

  1. Pull the latest Docker image or binary for Fleet.
  2. Verify the version includes commit e225ef57912c8f4ac8977e24b5ebe1d9fd875257.
  3. Restart the Fleet server services.
  4. Audit logs for enrollment attempts from unknown device IDs or mismatched Tenant IDs.

References

Read the full report for CVE-2026-23518 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)