GHSA-63m5-974w-448v

Source

https://github.com/advisories/GHSA-63m5-974w-448v

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-63m5-974w-448v/GHSA-63m5-974w-448v.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-63m5-974w-448v

Aliases

Published

2026-01-20T20:55:17Z

Modified

2026-02-28T06:27:31.335156Z

Severity

9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

Fleet has a JWT signature bypass vulnerability in Azure AD MDM enrollment

Details

Summary

A vulnerability in Fleet’s Windows MDM enrollment flow could allow an attacker to submit forged authentication tokens that are not properly validated. Because JWT signatures were not verified, Fleet could accept attacker-controlled identity claims, enabling enrollment of unauthorized devices under arbitrary Azure AD user identities.

Impact

If Windows MDM is enabled, an attacker can enroll rogue devices by submitting a forged JWT containing arbitrary identity claims. Due to missing JWT signature verification, Fleet accepts these claims without validating that the token was issued by Azure AD, allowing enrollment under any Azure AD user identity.

Patches

4.78.3
4.77.1
4.76.2
4.75.2
4.53.3

Workarounds

If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM.

For more information

If you have any questions or comments about this advisory:

Email us at security@fleetdm.com Join #fleet in osquery Slack

Credits

We thank @secfox-ai for responsibly reporting this issue.

Database specific

{
    "nvd_published_at": "2026-01-21T22:15:50Z",
    "severity": "CRITICAL",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-347"
    ],
    "github_reviewed_at": "2026-01-20T20:55:17Z"
}

References

Affected packages

github.com/fleetdm/fleet

Package

Name: github.com/fleetdm/fleet; View open source insights on deps.dev
Purl: pkg:golang/github.com/fleetdm/fleet

Affected ranges

Type: SEMVER
Events: Introduced

4.78.0

Fixed

4.78.3

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-63m5-974w-448v/GHSA-63m5-974w-448v.json"

github.com/fleetdm/fleet

Package

Name: github.com/fleetdm/fleet; View open source insights on deps.dev
Purl: pkg:golang/github.com/fleetdm/fleet

Affected ranges

Type: SEMVER
Events: Introduced

4.77.0

Fixed

4.77.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-63m5-974w-448v/GHSA-63m5-974w-448v.json"

github.com/fleetdm/fleet

Package

Name: github.com/fleetdm/fleet; View open source insights on deps.dev
Purl: pkg:golang/github.com/fleetdm/fleet

Affected ranges

Type: SEMVER
Events: Introduced

4.76.0

Fixed

4.76.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-63m5-974w-448v/GHSA-63m5-974w-448v.json"

github.com/fleetdm/fleet

Package

Name: github.com/fleetdm/fleet; View open source insights on deps.dev
Purl: pkg:golang/github.com/fleetdm/fleet

Affected ranges

Type: SEMVER
Events: Introduced

4.75.0

Fixed

4.75.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-63m5-974w-448v/GHSA-63m5-974w-448v.json"

github.com/fleetdm/fleet

Package

Name: github.com/fleetdm/fleet; View open source insights on deps.dev
Purl: pkg:golang/github.com/fleetdm/fleet

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.43.5-0.20260112202845-e225ef57912c

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-63m5-974w-448v/GHSA-63m5-974w-448v.json"