GHSA-gfpw-jgvr-cw4j

Suggest an improvement
Source
https://github.com/advisories/GHSA-gfpw-jgvr-cw4j
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-gfpw-jgvr-cw4j/GHSA-gfpw-jgvr-cw4j.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-gfpw-jgvr-cw4j
Aliases
Published
2026-01-20T20:52:17Z
Modified
2026-01-22T15:52:21.123292Z
Severity
  • 5.5 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H CVSS Calculator
Summary
Fleet Windows MDM endpoint has a Cross-site Scripting vulnerability
Details

Summary

A cross-site scripting (XSS) vulnerability in Fleet’s Windows MDM authentication flow could allow an attacker to compromise a Fleet user account. In certain cases, this could lead to administrative access and the ability to perform privileged actions on managed devices.

Impact

If Windows MDM is enabled, an attacker could exploit a cross-site scripting (XSS) vulnerability by convincing an authenticated Fleet user to visit a malicious link. Successful exploitation could allow retrieval of the user’s Fleet authentication token from their browser.

A compromised authentication token may grant administrative access to the Fleet API, allowing an attacker to perform privileged actions such as deploying scripts to managed hosts.

This issue does not allow unauthenticated access and does not affect instances where Windows MDM is disabled.

Patches

  • 4.78.2
  • 4.77.1
  • 4.76.2
  • 4.75.2
  • 4.53.3

Workarounds

If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM.

For more information

If you have any questions or comments about this advisory:

Email us at security@fleetdm.com Join #fleet in osquery Slack

Credits

We thank @secfox-ai for responsibly reporting this issue.

Database specific 
{
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "nvd_published_at": "2026-01-21T22:15:49Z",
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-20T20:52:17Z"
}
References

Affected packages

Go

github.com/fleetdm/fleet

Package

Name
github.com/fleetdm/fleet
View open source insights on deps.dev
Purl
pkg:golang/github.com/fleetdm/fleet

Affected ranges

Type
SEMVER
Events
Introduced
4.78.0
Fixed
4.78.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-gfpw-jgvr-cw4j/GHSA-gfpw-jgvr-cw4j.json"

github.com/fleetdm/fleet

Package

Name
github.com/fleetdm/fleet
View open source insights on deps.dev
Purl
pkg:golang/github.com/fleetdm/fleet

Affected ranges

Type
SEMVER
Events
Introduced
4.77.0
Fixed
4.77.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-gfpw-jgvr-cw4j/GHSA-gfpw-jgvr-cw4j.json"

github.com/fleetdm/fleet

Package

Name
github.com/fleetdm/fleet
View open source insights on deps.dev
Purl
pkg:golang/github.com/fleetdm/fleet

Affected ranges

Type
SEMVER
Events
Introduced
4.76.0
Fixed
4.76.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-gfpw-jgvr-cw4j/GHSA-gfpw-jgvr-cw4j.json"

github.com/fleetdm/fleet

Package

Name
github.com/fleetdm/fleet
View open source insights on deps.dev
Purl
pkg:golang/github.com/fleetdm/fleet

Affected ranges

Type
SEMVER
Events
Introduced
4.75.0
Fixed
4.75.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-gfpw-jgvr-cw4j/GHSA-gfpw-jgvr-cw4j.json"

github.com/fleetdm/fleet/v4

Package

Name
github.com/fleetdm/fleet/v4
View open source insights on deps.dev
Purl
pkg:golang/github.com/fleetdm/fleet/v4

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.43.5-0.20260111020427-0e6c790803d1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-gfpw-jgvr-cw4j/GHSA-gfpw-jgvr-cw4j.json"