CVE-2026-26060
Published: 27 March 2026
Summary
CVE-2026-26060 is a high-severity Insufficient Session Expiration (CWE-613) vulnerability in Fleetdm Fleet. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
IA-5 mandates procedures for revoking authenticators like password reset tokens upon password changes, directly preventing reuse of stale tokens.
SI-2 requires timely flaw remediation through patching to Fleet version 4.81.0, eliminating the vulnerability in password reset token invalidation.
AC-2 establishes account management processes that include password changes, supporting invalidation of associated temporary authenticators like reset tokens.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing Fleet password reset logic (insufficient token invalidation) is directly exploitable via T1190 to achieve account takeover, enabling subsequent use of Valid Accounts (T1078).
NVD Description
Fleet is open source device management software. Prior to 4.81.0, a vulnerability in Fleet’s password management logic could allow previously issued password reset tokens to remain valid after a user changes their password. As a result, a stale password reset…
more
token could be reused to reset the account password even after a defensive password change. Version 4.81.0 patches the issue.
Deeper analysisAI
CVE-2026-26060 is a vulnerability in the password management logic of Fleet, an open source device management software. In versions prior to 4.81.0, previously issued password reset tokens remain valid even after a user changes their password. This flaw, classified under CWE-613 (Insufficient Session Expiration), carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact on confidentiality, integrity, and availability.
An attacker with low privileges (PR:L), such as a legitimate user or someone who previously obtained a password reset token, can exploit this over the network with low complexity and no user interaction required. By reusing a stale token after the target user has defensively changed their password, the attacker can reset the account password, gaining unauthorized control over the account.
The official patch is available in Fleet version 4.81.0, which addresses the issue by ensuring password reset tokens are invalidated upon password changes. Additional details are provided in the GitHub security advisory at https://github.com/fleetdm/fleet/security/advisories/GHSA-3458-r943-hmx4.
Details
- CWE(s)