CVE-2026-23518
Published: 21 January 2026
Summary
CVE-2026-23518 is a critical-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Fleetdm Fleet. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-2 (Identification and Authentication (Organizational Users)) and IA-3 (Device Identification and Authentication).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates unique identification and authentication of devices before enrollment, directly preventing acceptance of forged JWT tokens in Fleet's Windows MDM flow.
Requires identification and authentication of organizational users, blocking enrollment under arbitrary forged Azure AD identities.
Ensures proper management and verification of authenticators like JWT tokens, addressing the lack of signature validation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing Fleet MDM service allows unauthenticated network attackers to bypass JWT signature validation and enroll devices using forged tokens.
NVD Description
Fleet is open source device management software. In versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, a vulnerability in Fleet's Windows MDM enrollment flow could allow an attacker to submit forged authentication tokens that are not properly validated. Because…
more
JWT signatures were not verified, Fleet could accept attacker-controlled identity claims, enabling enrollment of unauthorized devices under arbitrary Azure AD user identities. Versions 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 fix the issue. If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM.
Deeper analysisAI
CVE-2026-23518 is a critical vulnerability in Fleet, an open source device management software, affecting versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3. The issue resides in Fleet's Windows MDM enrollment flow, where authentication tokens in the form of JWTs are not properly validated due to missing signature verification. This flaw, classified under CWE-347 (Improper Verification of Cryptographic Signature), carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity with potential for significant confidentiality, integrity, and availability impacts.
Any unauthenticated attacker with network access can exploit this vulnerability by submitting forged JWT authentication tokens containing arbitrary identity claims. Successful exploitation allows the attacker to enroll unauthorized devices into Fleet under the guise of legitimate Azure AD user identities, potentially granting them unauthorized access to managed device fleets and compromising organizational device management controls.
Fleet has addressed the vulnerability in versions 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, as detailed in the project's security advisory (GHSA-63m5-974w-448v) and corresponding commit (e225ef57912c8f4ac8977e24b5ebe1d9fd875257). Administrators unable to upgrade immediately are advised to temporarily disable Windows MDM enrollment to mitigate risk.
Details
- CWE(s)