CVE-2026-26061: CVE-2026-26061: Unauthenticated Denial of Service via Unbounded Memory Allocation in Fleet

#security #cve #cybersecurity

CVE-2026-26061: Unauthenticated Denial of Service via Unbounded Memory Allocation in Fleet

Vulnerability ID: CVE-2026-26061
CVSS Score: 8.7
Published: 2026-03-27

Fleet device management software versions prior to 4.81.0 are vulnerable to an unauthenticated denial-of-service (DoS) attack. The vulnerability stems from a failure to enforce size limits on HTTP request bodies at specific osquery logging and telemetry endpoints, allowing remote attackers to exhaust server memory.

TL;DR

Missing HTTP request body size limits in Fleet allow unauthenticated attackers to cause Out-Of-Memory (OOM) crashes by sending massive payloads to osquery API endpoints.

Technical Details

CWE ID: CWE-770
Attack Vector: Network
CVSS Score: 8.7
Impact: High (Denial of Service)
Authentication Required: None
Exploit Status: Unweaponized / Proof of Concept

Affected Systems

Fleet device management (fleetdm/fleet)
Fleet: < 4.81.0 (Fixed in: 4.81.0)

Mitigation Strategies

Upgrade Fleet to version 4.81.0 or later.
Implement maximum request body size limits at the reverse proxy or ingress controller (e.g., Nginx client_max_body_size).
Deploy Web Application Firewall (WAF) rules to drop unusually large POST requests targeting /api/osquery/* endpoints.

Remediation Steps:

Review current Fleet deployment version to confirm vulnerability status.
Plan a maintenance window to upgrade Fleet infrastructure to v4.81.0.
Execute the upgrade process according to Fleet's official documentation.
Tune the newly introduced body size limit parameters in Fleet 4.81.0 to match legitimate baseline traffic.
Monitor application logs for HTTP 413 (Payload Too Large) responses to identify dropped legitimate traffic or active DoS attempts.