CVE-2026-26061
Published: 27 March 2026
Summary
CVE-2026-26061 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Fleetdm Fleet. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SC-5 Denial-of-service Protection directly mitigates resource exhaustion attacks by requiring limits on resource consumption from oversized HTTP request bodies.
SI-9 Information Input Restrictions enforces limits on the volume and size of inputs like HTTP request bodies to prevent excessive memory allocation.
SC-6 Resource Availability implements controls to monitor and limit resource allocation, directly addressing unbounded memory use from large payloads.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated network-accessible HTTP endpoints in public-facing Fleet server allow resource exhaustion DoS via oversized request bodies, directly enabling T1190 exploitation of the application and T1499.004 application/system exploitation for availability impact.
NVD Description
Fleet is open source device management software. Prior to 4.81.0, Fleet contained multiple unauthenticated HTTP endpoints that read request bodies without enforcing a size limit. An unauthenticated attacker could exploit this behavior by sending large or repeated HTTP payloads, causing…
more
excessive memory allocation and resulting in a denial-of-service (DoS) condition. Version 4.81.0 patches the issue.
Deeper analysisAI
CVE-2026-26061 affects Fleet, an open source device management software, in versions prior to 4.81.0. The vulnerability stems from multiple unauthenticated HTTP endpoints that read request bodies without enforcing a size limit, enabling excessive memory allocation. This issue, classified under CWE-770 (Allocation of Resources Without Limits or Throttling), carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting its high availability impact potential.
An unauthenticated attacker with network access can exploit this vulnerability by sending large or repeated HTTP payloads to the affected endpoints. The low attack complexity and lack of required privileges make it accessible to remote adversaries, resulting in a denial-of-service (DoS) condition through resource exhaustion.
The Fleet security advisory at https://github.com/fleetdm/fleet/security/advisories/GHSA-99hj-44vg-hfcp confirms that version 4.81.0 addresses the issue by patching the unauthenticated endpoints to enforce proper size limits on request bodies. Security practitioners should upgrade to Fleet 4.81.0 or later to mitigate this vulnerability.
Details
- CWE(s)