GHSA-63m5-974w-448v

Source

https://github.com/advisories/GHSA-63m5-974w-448v

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-63m5-974w-448v/GHSA-63m5-974w-448v.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-63m5-974w-448v

Aliases

CVE-2026-23518

Published

2026-01-20T20:55:17Z

Modified

2026-01-20T21:12:13.532602Z

Severity

9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

Fleet has a JWT signature bypass vulnerability in Azure AD MDM enrollment

Details

Impact

If Windows MDM is enabled, an attacker can enroll rogue devices by submitting a forged JWT containing arbitrary identity claims. Due to missing JWT signature verification, Fleet accepts these claims without validating that the token was issued by Azure AD, allowing enrollment under any Azure AD user identity.

Patches

4.78.3
4.77.1
4.76.2
4.75.2
4.53.3

Workarounds

If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM.

For more information

If you have any questions or comments about this advisory:

Email us at security@fleetdm.com Join #fleet in osquery Slack

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-20T20:55:17Z",
    "severity": "CRITICAL",
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-347"
    ]
}

References

Affected packages

Go

github.com/fleetdm/fleet

Package

Name: github.com/fleetdm/fleet; View open source insights on deps.dev
Purl: pkg:golang/github.com/fleetdm/fleet

Affected ranges

Type: SEMVER
Events: Introduced

4.78.0

Fixed

4.78.3

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-63m5-974w-448v/GHSA-63m5-974w-448v.json"

github.com/fleetdm/fleet

Package

Name: github.com/fleetdm/fleet; View open source insights on deps.dev
Purl: pkg:golang/github.com/fleetdm/fleet

Affected ranges

Type: SEMVER
Events: Introduced

4.77.0

Fixed

4.77.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-63m5-974w-448v/GHSA-63m5-974w-448v.json"

github.com/fleetdm/fleet

Package

Name: github.com/fleetdm/fleet; View open source insights on deps.dev
Purl: pkg:golang/github.com/fleetdm/fleet

Affected ranges

Type: SEMVER
Events: Introduced

4.76.0

Fixed

4.76.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-63m5-974w-448v/GHSA-63m5-974w-448v.json"

github.com/fleetdm/fleet

Package

Name: github.com/fleetdm/fleet; View open source insights on deps.dev
Purl: pkg:golang/github.com/fleetdm/fleet

Affected ranges

Type: SEMVER
Events: Introduced

4.75.0

Fixed

4.75.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-63m5-974w-448v/GHSA-63m5-974w-448v.json"

github.com/fleetdm/fleet

Package

Name: github.com/fleetdm/fleet; View open source insights on deps.dev
Purl: pkg:golang/github.com/fleetdm/fleet

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.43.5-0.20260112202845-e225ef57912c

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-63m5-974w-448v/GHSA-63m5-974w-448v.json"