CVE-2026-23517
Published: 21 January 2026
Summary
CVE-2026-23517 is a high-severity Missing Authorization (CWE-862) vulnerability in Fleetdm Fleet. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique System Information Discovery (T1082); ranked at the 17.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 enforces approved authorizations on debug/pprof endpoints, preventing low-privilege users from accessing sensitive server diagnostics or triggering resource-intensive operations.
AC-6 applies least privilege to restrict access to debug and profiling endpoints to only necessary high-privilege roles, directly mitigating the broken access control for Observer and similar users.
CM-7 least functionality prohibits or restricts non-essential debug/pprof endpoints in production, preventing both information disclosure and DoS exploitation by low-privilege users.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Broken access control on debug/pprof endpoints directly enables low-priv users to perform System Information Discovery (T1082) via runtime/in-memory data exposure and Endpoint Denial of Service (T1499) via resource-intensive profiling abuse.
NVD Description
Fleet is open source device management software. A broken access control issue in versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 allowed authenticated users to access debug and profiling endpoints regardless of role. As a result, low-privilege users could…
more
view internal server diagnostics and trigger resource-intensive profiling operations. Fleet’s debug/pprof endpoints are accessible to any authenticated user regardless of role, including the lowest-privilege “Observer” role. This allows low-privilege users to access sensitive server internals, including runtime profiling data and in-memory application state, and to trigger CPU-intensive profiling operations that could lead to denial of service. Versions 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 fix the issue. If an immediate upgrade is not possible, users should put the debug/pprof endpoints behind an IP allowlist as a workaround.
Deeper analysisAI
CVE-2026-23517 is a broken access control vulnerability (CWE-862) in Fleet, an open source device management software. It affects versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, where debug and profiling endpoints (debug/pprof) are accessible to any authenticated user regardless of role. This enables low-privilege users, such as those with the Observer role, to view internal server diagnostics, including runtime profiling data and in-memory application state. The issue has a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H), indicating high confidentiality and availability impacts.
Any authenticated user with low privileges can exploit this vulnerability over the network with low complexity and no user interaction required. Attackers can retrieve sensitive server internals, potentially exposing operational details, and trigger resource-intensive CPU profiling operations that lead to denial of service by overwhelming the server.
Fleet's security advisory and commit fix the issue in versions 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3. As a workaround if upgrading is not immediately possible, administrators should place the debug/pprof endpoints behind an IP allowlist. Details are available in the GitHub security advisory (GHSA-4r5r-ccr6-q6f6) and the patching commit (5c030e32a3a9bc512355b5e1bf19636e4e6d0317).
Details
- CWE(s)