DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-27465: Fleet's Open Secret: The Google Calendar Key Leak

#security #cve #cybersecurity

Fleet's Open Secret: The Google Calendar Key Leak

Vulnerability ID: CVE-2026-27465
CVSS Score: 4.3
Published: 2026-02-26

A deep dive into CVE-2026-27465, where Fleet Device Management inadvertently exposed Google Calendar Service Account private keys to low-privileged users via the application configuration API. This vulnerability highlights the dangers of implicit serialization in Go and the risks of treating configuration data as a 'catch-all' bucket.

TL;DR

Fleet versions prior to 4.80.1 return unmasked Google Service Account credentials in the global configuration API. Authenticated users, even those with the restricted 'Observer' role, can retrieve the full private key, allowing them to impersonate the service account in Google Cloud.

Technical Details

  • CWE: CWE-201 (Insertion of Sensitive Information Into Sent Data)
  • CVSS v3.1: 4.3 (Medium)
  • Attack Vector: Network (Authenticated)
  • Privileges Required: Low (Observer)
  • Impact: Information Disclosure (High Confidentiality)
  • Fixed Version: 4.80.1

Affected Systems

  • Fleet Device Management (fleetdm) < 4.80.1
  • Fleet: < 4.80.1 (Fixed in: 4.80.1)

Code Analysis

Commit: 23fc680

Fixed sensitive credential disclosure in Google Calendar integration

func (k GoogleCalendarApiKey) MarshalJSON() ([]byte, error) { if k.masked { return json.Marshal("********") } ... }
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Internal: Standard API request (GET /api/v1/fleet/config) by authenticated user returns plain text credentials.

Mitigation Strategies

  • Upgrade Fleet to version 4.80.1 or later immediately.
  • Treat all historical service account keys as compromised.
  • Implement least-privilege IAM roles for the Google Service Account.

Remediation Steps:

  1. Upgrade the Fleet server binary to 4.80.1.
  2. Log in to Google Cloud Console.
  3. Navigate to the Service Account associated with Fleet.
  4. Generate a new JSON key.
  5. Upload the new key to Fleet configuration.
  6. Revoke/Delete the old key in Google Cloud Console.

References

Read the full report for CVE-2026-27465 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)