Cyber Resilience

CVE-2026-23518

Critical

Published: 21 January 2026

Published
21 January 2026
Modified
27 February 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0023 13.1th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-23518 is a critical-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Fleetdm Fleet. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-2 (Identification and Authentication (Organizational Users)) and IA-3 (Device Identification and Authentication).

Deeper analysis

CVE-2026-23518 is a critical vulnerability in Fleet, an open source device management software, affecting versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3. The issue resides in Fleet's Windows MDM enrollment flow, where authentication tokens in the form of JWTs are not properly validated due to missing signature verification. This flaw, classified under CWE-347 (Improper Verification of Cryptographic Signature), carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity with potential for significant confidentiality, integrity, and availability impacts.

Any unauthenticated attacker with network access can exploit this vulnerability by submitting forged JWT authentication tokens containing arbitrary identity claims. Successful exploitation allows the attacker to enroll unauthorized devices into Fleet under the guise of legitimate Azure AD user identities, potentially granting them unauthorized access to managed device fleets and compromising organizational device management controls.

Fleet has addressed the vulnerability in versions 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, as detailed in the project's security advisory (GHSA-63m5-974w-448v) and corresponding commit (e225ef57912c8f4ac8977e24b5ebe1d9fd875257). Administrators unable to upgrade immediately are advised to temporarily disable Windows MDM enrollment to mitigate risk.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Fleet is open source device management software. In versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, a vulnerability in Fleet's Windows MDM enrollment flow could allow an attacker to submit forged authentication tokens that are not properly validated. Because…

more

JWT signatures were not verified, Fleet could accept attacker-controlled identity claims, enabling enrollment of unauthorized devices under arbitrary Azure AD user identities. Versions 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 fix the issue. If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Vulnerability in public-facing Fleet MDM service allows unauthenticated network attackers to bypass JWT signature validation and enroll devices using forged tokens.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-26186Same product: Fleetdm Fleet
CVE-2026-34387Same product: Fleetdm Fleet
CVE-2026-26061Same product: Fleetdm Fleet
CVE-2026-26060Same product: Fleetdm Fleet
CVE-2026-34386Same product: Fleetdm Fleet
CVE-2026-34385Same product: Fleetdm Fleet
CVE-2026-27806Same product: Fleetdm Fleet
CVE-2026-23517Same product: Fleetdm Fleet
CVE-2026-34391Same product: Fleetdm Fleet
CVE-2026-29180Same product: Fleetdm Fleet

Affected Assets

fleetdm
fleet
4.77.0 · ≤ 4.53.3 · 4.75.0 — 4.75.2 · 4.76.0 — 4.76.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates unique identification and authentication of devices before enrollment, directly preventing acceptance of forged JWT tokens in Fleet's Windows MDM flow.

prevent

Requires identification and authentication of organizational users, blocking enrollment under arbitrary forged Azure AD identities.

prevent

Ensures proper management and verification of authenticators like JWT tokens, addressing the lack of signature validation.

References