CVE-2026-34389: Authentication Bypass via Invitation Token Mishandling in Fleet
Vulnerability ID: CVE-2026-34389
CVSS Score: 4.9
Published: 2026-03-30
Fleet, an open-source device management platform, contains an improper authentication vulnerability in its user invitation flow. Prior to version 4.81.0, the application failed to validate that the email address submitted during account registration matched the address associated with the provided invitation token. This allows attackers possessing a valid invitation token to provision accounts under arbitrary email addresses while inheriting the privilege level assigned to the original invitee.
TL;DR
A flaw in Fleet prior to version 4.81.0 allows attackers with a leaked invitation token to register an account using an arbitrary email address. This bypasses intended identity verification and grants the attacker the roles associated with the invite, potentially yielding Global Admin access.
Technical Details
- CWE ID: CWE-287
- Attack Vector: Network
- CVSS 4.0 Score: 4.9
- EPSS Score: 0.00038
- Exploit Status: Unproven
- CISA KEV: Not Listed
Affected Systems
- Fleet Device Management
-
Fleet: < 4.81.0 (Fixed in:
4.81.0)
Mitigation Strategies
- Treat invitation links as sensitive credentials
- Apply principle of least privilege to new invites
- Audit recent user registrations for anomalous email domains
Remediation Steps:
- Upgrade Fleet to version 4.81.0 or later.
- Revoke any exposed or unused invitation links in the Fleet UI.
- Review the list of current users to verify all accounts belong to authorized personnel.
References
- GitHub Security Advisory (GHSA-4f9r-x588-pp2h)
- Fleet Official Releases
- NVD CVE-2026-34389 Detail
- CVE.org Record
Read the full report for CVE-2026-34389 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)