Cyber Resilience

CVE-2026-26060

Medium

Published: 27 March 2026

Published
27 March 2026
Modified
31 March 2026
KEV Added
Patch
CVSS Score v4 6.0 CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0034 25.2th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-26060 is a medium-severity Insufficient Session Expiration (CWE-613) vulnerability in Fleetdm Fleet. Its CVSS base score is 6.0 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-26060 is a vulnerability in the password management logic of Fleet, an open source device management software. In versions prior to 4.81.0, previously issued password reset tokens remain valid even after a user changes their password. This flaw, classified under CWE-613 (Insufficient Session Expiration), carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact on confidentiality, integrity, and availability.

An attacker with low privileges (PR:L), such as a legitimate user or someone who previously obtained a password reset token, can exploit this over the network with low complexity and no user interaction required. By reusing a stale token after the target user has defensively changed their password, the attacker can reset the account password, gaining unauthorized control over the account.

The official patch is available in Fleet version 4.81.0, which addresses the issue by ensuring password reset tokens are invalidated upon password changes. Additional details are provided in the GitHub security advisory at https://github.com/fleetdm/fleet/security/advisories/GHSA-3458-r943-hmx4.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Fleet is open source device management software. Prior to 4.81.0, a vulnerability in Fleet’s password management logic could allow previously issued password reset tokens to remain valid after a user changes their password. As a result, a stale password reset…

more

token could be reused to reset the account password even after a defensive password change. Version 4.81.0 patches the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

Vulnerability in public-facing Fleet password reset logic (insufficient token invalidation) is directly exploitable via T1190 to achieve account takeover, enabling subsequent use of Valid Accounts (T1078).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-23518Same product: Fleetdm Fleet
CVE-2026-26186Same product: Fleetdm Fleet
CVE-2026-34387Same product: Fleetdm Fleet
CVE-2026-26061Same product: Fleetdm Fleet
CVE-2026-34385Same product: Fleetdm Fleet
CVE-2026-34386Same product: Fleetdm Fleet
CVE-2026-29180Same product: Fleetdm Fleet
CVE-2026-34391Same product: Fleetdm Fleet
CVE-2026-27806Same product: Fleetdm Fleet
CVE-2026-23517Same product: Fleetdm Fleet

Affected Assets

fleetdm
fleet
≤ 4.81.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

IA-5 mandates procedures for revoking authenticators like password reset tokens upon password changes, directly preventing reuse of stale tokens.

prevent

SI-2 requires timely flaw remediation through patching to Fleet version 4.81.0, eliminating the vulnerability in password reset token invalidation.

prevent

AC-2 establishes account management processes that include password changes, supporting invalidation of associated temporary authenticators like reset tokens.

References