Cyber Resilience

CVE-2026-24000

Medium

Published: 14 May 2026

Published
14 May 2026
Modified
15 May 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0013 31.4th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24000 is a medium-severity Authentication Bypass by Spoofing (CWE-290) vulnerability in Fleetdm Fleet. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked at the 31.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Fleet is open source device management software. Prior to version 4.80.1, Fleet trusted client-supplied IP address headers when determining the source IP for incoming requests. This allowed authenticated and unauthenticated clients to spoof their apparent IP address and bypass per-IP…

more

rate limiting controls. Fleet determines a client’s public IP address using HTTP headers such as X-Forwarded-For, X-Real-IP, and/or True-Client-IP. These headers were trusted without validation. An attacker could supply arbitrary values in these headers, causing Fleet to treat each request as originating from a different IP address. This could allow an attacker to bypass per-IP rate limits and increase the effectiveness of brute-force or password-spraying attempts against authentication endpoints. This issue does not allow authentication bypass, privilege escalation, data exposure, or remote code execution on its own. Version 4.80.1 contains a patch. As a workaround, run Fleet behind a trusted reverse proxy or load balancer that overwrites client IP headers.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1110 Brute Force Credential Access
Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.
T1110.003 Password Spraying Credential Access
Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials.
T1110.004 Credential Stuffing Credential Access
Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap.
Why these techniques?

Vulnerability allows IP header spoofing to bypass per-IP rate limits, directly facilitating brute force, password spraying, and credential stuffing against auth endpoints.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

Affected Assets

fleetdm
fleet
≤ 4.80.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-290

Reveals spoofed logon attempts through unexpected previous logon timestamps upon legitimate login.

addresses: CWE-290

Training specifically addresses recognizing spoofed communications and phishing that enable authentication bypass.

addresses: CWE-290

Requiring verifiable identity evidence at appropriate assurance levels makes it substantially harder for attackers to successfully spoof or impersonate users to obtain accounts.

addresses: CWE-290

Unique device authentication makes successful spoofing of device identity substantially more difficult to achieve.

addresses: CWE-290

Unique identification of non-organizational users reduces the feasibility of authentication bypass by spoofing.

addresses: CWE-290

Unique identification and authentication of services before communications makes spoofing of service identities substantially harder.

addresses: CWE-290

Isolated trusted path ensures the user interacts only with genuine system components, preventing spoofing of authentication interfaces or prompts.

addresses: CWE-290

Directly counters DNS response spoofing by requiring cryptographic origin authentication artifacts from the authoritative source.

References