CVE-2026-26060

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-26060
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26060.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-26060
Aliases
Downstream
Related
Published
2026-03-27T18:22:43.244Z
Modified
2026-04-10T05:40:55.051685Z
Severity
  • 6.0 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Fleet: Password reset tokens remain valid after password change for 24 hours
Details

Fleet is open source device management software. Prior to 4.81.0, a vulnerability in Fleet’s password management logic could allow previously issued password reset tokens to remain valid after a user changes their password. As a result, a stale password reset token could be reused to reset the account password even after a defensive password change. Version 4.81.0 patches the issue.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-613"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/26xxx/CVE-2026-26060.json"
}
References

Affected packages

Git / github.com/fleetdm/fleet

Affected ranges

Type
GIT
Repo
https://github.com/fleetdm/fleet
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
9dbcc38ce1046074ac230804f32ae1689026041f
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "4.81.0"
        }
    ]
}

Affected versions

1.*
1.0.0
1.0.0-rc1
1.0.0-rc2
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
2.*
2.0.0
2.0.0-rc1
2.0.0-rc2
2.0.0-rc3
2.0.0-rc4
2.0.0-rc5
2.0.1
2.0.2
2.1.0
2.1.1
2.1.2
2.2.0
2.3.0
2.4.0
2.5.0
2.6.0
3.*
3.0.0
3.1.0
3.10.0
3.10.1
3.11.0
3.12.0
3.13.0
3.2.0
3.3.0
3.4.0
3.5.0
3.5.1
3.6.0
3.7.0
3.7.1
3.7.2
3.7.3
3.8.0
3.9.0
fleet-v4.*
fleet-v4.10.0
fleet-v4.11.0
fleet-v4.12.0
fleet-v4.13.0
fleet-v4.14.0
fleet-v4.15.0
fleet-v4.16.0
fleet-v4.17.0
fleet-v4.18.0
fleet-v4.19.0
fleet-v4.2.0
fleet-v4.2.2
fleet-v4.20.0
fleet-v4.22.0
fleet-v4.23.0
fleet-v4.24.0
fleet-v4.25.0
fleet-v4.26.0
fleet-v4.27.0
fleet-v4.28.0
fleet-v4.29.0
fleet-v4.3.0
fleet-v4.3.1
fleet-v4.30.0
fleet-v4.31.0
fleet-v4.32.0
fleet-v4.33.0
fleet-v4.34.0
fleet-v4.35.0
fleet-v4.36.0
fleet-v4.37.0
fleet-v4.38.0
fleet-v4.39.0
fleet-v4.4.0
fleet-v4.40.0
fleet-v4.41.0
fleet-v4.43.0
fleet-v4.45.0
fleet-v4.47.0
fleet-v4.48.0
fleet-v4.49.0
fleet-v4.5.0
fleet-v4.50.0
fleet-v4.51.0
fleet-v4.6.0
fleet-v4.6.1
fleet-v4.7.0
fleet-v4.8.0
Other
fleetctl-docker-deps-20260113
fleetctl-docker-deps-20260129
orbit-test-build
fleetctl-docker-deps-v4.*
fleetctl-docker-deps-v4.60.0
fleetctl-docker-deps-v4.76.1
fleetd-android-v1.*
fleetd-android-v1.0.0
fleetd-chrome-v1.*
fleetd-chrome-v1.1.0-beta
fleetd-chrome-v1.1.1-beta
fleetd-chrome-v1.1.3
fleetd-chrome-v1.1.3-beta
fleetd-chrome-v1.2.0
fleetd-chrome-v1.2.0-beta
fleetd-chrome-v1.2.1-beta
fleetd-chrome-v1.3.0
fleetd-chrome-v1.3.1
orbit-v0.*
orbit-v0.0.11
orbit-v0.0.12
orbit-v0.0.13
orbit-v0.0.4
orbit-v0.0.5
orbit-v0.0.6
orbit-v0.0.7
orbit-v0.0.9
orbit-v1.*
orbit-v1.0.0
orbit-v1.1.0
orbit-v1.10.0
orbit-v1.11.0
orbit-v1.12.0
orbit-v1.12.1
orbit-v1.13.0
orbit-v1.14.0
orbit-v1.15.0
orbit-v1.16.0
orbit-v1.16.0-2
orbit-v1.17.0
orbit-v1.18.0-RC
orbit-v1.18.2
orbit-v1.18.3
orbit-v1.2.0-rc1
orbit-v1.20.0
orbit-v1.3.0
orbit-v1.3.0-rc
orbit-v1.4.0
orbit-v1.4.0-rc
orbit-v1.4.1
orbit-v1.41.0
orbit-v1.42.0
orbit-v1.43.0
orbit-v1.45.0
orbit-v1.48.0
orbit-v1.49.0
orbit-v1.5.0
orbit-v1.50.0
orbit-v1.51.0
orbit-v1.7.0
orbit-v1.8.0
orbit-v1.9.0
orbit-v1.9.1
rc-fleetctl-test-v4.*
rc-fleetctl-test-v4.63.0
tf-mod-addon-bfldf-v1.*
tf-mod-addon-bfldf-v1.1.0
tf-mod-addon-byo-file-carving-target-account-v1.*
tf-mod-addon-byo-file-carving-target-account-v1.0.0
tf-mod-addon-byo-file-carving-target-account-v1.1.0
tf-mod-addon-byo-file-carving-v1.*
tf-mod-addon-byo-file-carving-v1.0.0
tf-mod-addon-byo-file-carving-v1.1.0
tf-mod-addon-byo-firehose-logging-destination-firehose-v1.*
tf-mod-addon-byo-firehose-logging-destination-firehose-v1.0.0
tf-mod-addon-byo-firehose-logging-destination-firehose-v1.1.0
tf-mod-addon-byo-firehose-logging-destination-firehose-v2.*
tf-mod-addon-byo-firehose-logging-destination-firehose-v2.0.0
tf-mod-addon-byo-firehose-logging-destination-firehose-v2.0.1
tf-mod-addon-byo-firehose-logging-destination-firehose-v2.0.2
tf-mod-addon-byo-firehose-logging-destination-firehose-v2.0.3
tf-mod-addon-byo-firehose-logging-destination-target-account-v1.*
tf-mod-addon-byo-firehose-logging-destination-target-account-v1.0.0
tf-mod-addon-byo-firehose-logging-destination-target-account-v1.1.0
tf-mod-addon-byo-kinesis-logging-destination-kinesis-v1.*
tf-mod-addon-byo-kinesis-logging-destination-kinesis-v1.0.0
tf-mod-addon-byo-kinesis-logging-destination-kinesis-v1.0.1
tf-mod-addon-byo-kinesis-logging-destination-target-account-v1.*
tf-mod-addon-byo-kinesis-logging-destination-target-account-v1.0.0
tf-mod-addon-external-vuln-scans-v1.*
tf-mod-addon-external-vuln-scans-v1.0.0
tf-mod-addon-external-vuln-scans-v2.*
tf-mod-addon-external-vuln-scans-v2.0.0
tf-mod-addon-external-vuln-scans-v2.0.1
tf-mod-addon-external-vuln-scans-v2.0.2
tf-mod-addon-external-vuln-scans-v2.1.0
tf-mod-addon-external-vuln-scans-v2.2.0
tf-mod-addon-geolite2-v1.*
tf-mod-addon-geolite2-v1.0.0
tf-mod-addon-logging-alb-v1.*
tf-mod-addon-logging-alb-v1.0.0
tf-mod-addon-logging-alb-v1.0.1
tf-mod-addon-logging-alb-v1.0.2
tf-mod-addon-logging-alb-v1.1.0
tf-mod-addon-logging-alb-v1.1.1
tf-mod-addon-logging-alb-v1.2.0
tf-mod-addon-logging-destination-firehose-v1.*
tf-mod-addon-logging-destination-firehose-v1.0.0
tf-mod-addon-logging-destination-firehose-v1.1.0
tf-mod-addon-logging-destination-firehose-v1.1.1
tf-mod-addon-mdm-v1.*
tf-mod-addon-mdm-v1.0.0
tf-mod-addon-mdm-v1.1.0
tf-mod-addon-mdm-v1.2.0
tf-mod-addon-mdm-v1.2.1
tf-mod-addon-mdm-v1.2.2
tf-mod-addon-mdm-v1.3.0
tf-mod-addon-mdm-v1.4.0
tf-mod-addon-mdm-v1.4.1
tf-mod-addon-mdm-v1.5.0
tf-mod-addon-mdm-v2.*
tf-mod-addon-mdm-v2.0.0
tf-mod-addon-mdmproxy-v1.*
tf-mod-addon-mdmproxy-v1.0.0
tf-mod-addon-mdmproxy-v1.0.1
tf-mod-addon-migrations-v1.*
tf-mod-addon-migrations-v1.0.0
tf-mod-addon-migrations-v2.*
tf-mod-addon-migrations-v2.0.0
tf-mod-addon-migrations-v2.0.1
tf-mod-addon-monitoring-v1.*
tf-mod-addon-monitoring-v1.0.0
tf-mod-addon-monitoring-v1.1.0
tf-mod-addon-monitoring-v1.1.1
tf-mod-addon-monitoring-v1.1.2
tf-mod-addon-monitoring-v1.1.3
tf-mod-addon-monitoring-v1.2.0
tf-mod-addon-monitoring-v1.3.0
tf-mod-addon-monitoring-v1.4.0
tf-mod-addon-monitoring-v1.4.1
tf-mod-addon-monitoring-v1.5.0
tf-mod-addon-monitoring-v1.5.1
tf-mod-addon-osquery-carve-split-account-osquery-carve-v1.*
tf-mod-addon-osquery-carve-split-account-osquery-carve-v1.0.0
tf-mod-addon-osquery-carve-split-account-osquery-carve-v1.1.0
tf-mod-addon-osquery-carve-split-account-split-account-v1.*
tf-mod-addon-osquery-carve-split-account-split-account-v1.0.0
tf-mod-addon-osquery-carve-split-account-split-account-v1.1.0
tf-mod-addon-osquery-carve-v1.*
tf-mod-addon-osquery-carve-v1.0.0
tf-mod-addon-osquery-carve-v1.0.1
tf-mod-addon-osquery-carve-v1.1.0
tf-mod-addon-osquery-perf-v1.*
tf-mod-addon-osquery-perf-v1.0.0
tf-mod-addon-saml-auth-proxy-v1.*
tf-mod-addon-saml-auth-proxy-v1.0.0
tf-mod-addon-saml-auth-proxy-v1.1.0
tf-mod-addon-saml-auth-proxy-v1.2.0
tf-mod-addon-saml-auth-proxy-v1.3.0
tf-mod-addon-ses-v1.*
tf-mod-addon-ses-v1.0.0
tf-mod-addon-ses-v1.1.0
tf-mod-addon-ses-v1.2.0
tf-mod-addon-vuln-processing-v1.*
tf-mod-addon-vuln-processing-v1.0.0
tf-mod-addon-vuln-processing-v1.1.0
tf-mod-addon-waf-alb-v1.*
tf-mod-addon-waf-alb-v1.0.0
tf-mod-addon-waf-alb-v2.*
tf-mod-addon-waf-alb-v2.0.0
tf-mod-byo-db-v1.*
tf-mod-byo-db-v1.0.0
tf-mod-byo-db-v1.1.0
tf-mod-byo-db-v1.2.0
tf-mod-byo-db-v1.3.0
tf-mod-byo-db-v1.3.1
tf-mod-byo-db-v1.3.2
tf-mod-byo-db-v1.4.0
tf-mod-byo-db-v1.5.0
tf-mod-byo-db-v1.5.1
tf-mod-byo-db-v1.6.0
tf-mod-byo-db-v1.7.0
tf-mod-byo-db-v1.7.1
tf-mod-byo-db-v1.8.0
tf-mod-byo-db-v1.9.0
tf-mod-byo-ecs-v1.*
tf-mod-byo-ecs-v1.0.0
tf-mod-byo-ecs-v1.1.0
tf-mod-byo-ecs-v1.2.0
tf-mod-byo-ecs-v1.3.0
tf-mod-byo-ecs-v1.4.0
tf-mod-byo-ecs-v1.4.1
tf-mod-byo-ecs-v1.5.0
tf-mod-byo-ecs-v1.6.0
tf-mod-byo-ecs-v1.6.1
tf-mod-byo-ecs-v1.7.0
tf-mod-byo-ecs-v1.8.0
tf-mod-byo-ecs-v1.8.1
tf-mod-byo-vpc-v1.*
tf-mod-byo-vpc-v1.0.0
tf-mod-byo-vpc-v1.1.0
tf-mod-byo-vpc-v1.10.0
tf-mod-byo-vpc-v1.10.1
tf-mod-byo-vpc-v1.11.0
tf-mod-byo-vpc-v1.12.0
tf-mod-byo-vpc-v1.12.1
tf-mod-byo-vpc-v1.2.0
tf-mod-byo-vpc-v1.3.0
tf-mod-byo-vpc-v1.4.0
tf-mod-byo-vpc-v1.5.0
tf-mod-byo-vpc-v1.6.0
tf-mod-byo-vpc-v1.6.1
tf-mod-byo-vpc-v1.7.0
tf-mod-byo-vpc-v1.7.1
tf-mod-byo-vpc-v1.8.0
tf-mod-byo-vpc-v1.8.1
tf-mod-byo-vpc-v1.8.2
tf-mod-byo-vpc-v1.8.3
tf-mod-byo-vpc-v1.9.0
tf-mod-root-v1.*
tf-mod-root-v1.0.0
tf-mod-root-v1.1.0
tf-mod-root-v1.1.1
tf-mod-root-v1.10.0
tf-mod-root-v1.11.0
tf-mod-root-v1.11.1
tf-mod-root-v1.2.0
tf-mod-root-v1.3.0
tf-mod-root-v1.4.0
tf-mod-root-v1.5.0
tf-mod-root-v1.5.1
tf-mod-root-v1.6.0
tf-mod-root-v1.6.1
tf-mod-root-v1.7.0
tf-mod-root-v1.7.1
tf-mod-root-v1.7.2
tf-mod-root-v1.7.3
tf-mod-root-v1.8.0
tf-mod-root-v1.9.0
tf-mod-root-v1.9.1
tf-mod-root-v1.9.2
v0.*
v0.0.4
v0.0.5
v0.0.6
v0.0.7
v4.*
v4.0.0
v4.0.0-rc3
v4.0.1
v4.1.0
v4.28.0
v4.36.0
v4.37.0
v4.43.4

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26060.json"