NIXPKGS-2026-0084

GitHub issue published on

Permalink CVE-2026-23518

updated 3 months, 1 week ago by @LeSuisse Activity log

Created suggestion 3 months, 1 week ago
@LeSuisse ignored
16 packages
- fleetctl
- fleeting-plugin-aws
- azure-cli-extensions.fleet
- python312Packages.tesla-fleet-api
- python313Packages.tesla-fleet-api
- haskellPackages.amazonka-iotfleethub
- haskellPackages.amazonka-iotfleetwise
- python312Packages.mypy-boto3-iotfleethub
- python313Packages.mypy-boto3-iotfleethub
- python312Packages.mypy-boto3-iotfleetwise
- python313Packages.mypy-boto3-iotfleetwise
- home-assistant-component-tests.tesla_fleet
- python312Packages.types-aiobotocore-iotfleethub
- python313Packages.types-aiobotocore-iotfleethub
- python312Packages.types-aiobotocore-iotfleetwise
- python313Packages.types-aiobotocore-iotfleetwise
3 months, 1 week ago
@LeSuisse deleted maintainer @ulrikstrid 3 months, 1 week ago maintainer.delete
@LeSuisse added maintainer @katexochen 3 months, 1 week ago maintainer.add
@LeSuisse deleted maintainer @asauzeau 3 months, 1 week ago maintainer.delete
@LeSuisse added
5 maintainers
- @commiterate
- @dotlambda
- @fabaff
- @mweinelt
- @mbalatsko
3 months, 1 week ago maintainer.add
@LeSuisse accepted 3 months, 1 week ago
@LeSuisse published on GitHub 3 months, 1 week ago

Fleet has a JWT signature bypass vulnerability in Azure AD MDM enrollment

Fleet is open source device management software. In versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, a vulnerability in Fleet's Windows MDM enrollment flow could allow an attacker to submit forged authentication tokens that are not properly validated. Because JWT signatures were not verified, Fleet could accept attacker-controlled identity claims, enabling enrollment of unauthorized devices under arbitrary Azure AD user identities. Versions 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 fix the issue. If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM.

References

https://github.com/fleetdm/fleet/security/advisories/GHSA-63m5-974w-448v x_refsource_CONFIRM
https://github.com/fleetdm/fleet/commit/e225ef57912c8f4ac8977e24b5ebe1d9fd875257 x_refsource_MISC

Affected products

fleet

==< 4.53.3
==>= 4.77.0, < 4.77.1
==>= 4.76.0, < 4.76.2
==>= 4.78.0, < 4.78.3
==>= 4.75.0, < 4.75.2

Matching in nixpkgs

pkgs.fleet

CLI tool to launch Fleet server

nixos-unstable 4.75.1
- nixpkgs-unstable 4.75.1
- nixos-unstable-small 4.76.1

Ignored packages (16)

pkgs.fleetctl

CLI tool for managing Fleet

nixos-unstable 4.75.1
- nixpkgs-unstable 4.75.1
- nixos-unstable-small 4.76.1

pkgs.fleeting-plugin-aws

GitLab fleeting plugin for AWS

nixos-unstable 1.1.0
- nixpkgs-unstable 1.1.0
- nixos-unstable-small 1.1.0

pkgs.azure-cli-extensions.fleet

Microsoft Azure Command-Line Tools Fleet Extension

nixos-unstable 1.8.1
- nixpkgs-unstable 1.8.1
- nixos-unstable-small 1.8.1

pkgs.python312Packages.tesla-fleet-api

Python library for Tesla Fleet API and Teslemetry

nixos-unstable 1.2.5
- nixpkgs-unstable 1.2.5
- nixos-unstable-small 1.2.5

pkgs.python313Packages.tesla-fleet-api

Python library for Tesla Fleet API and Teslemetry

nixos-unstable 1.2.5
- nixpkgs-unstable 1.2.5
- nixos-unstable-small 1.2.5

pkgs.haskellPackages.amazonka-iotfleethub

Amazon IoT Fleet Hub SDK

nixos-unstable 2.0-unstable-2025-04-16
- nixpkgs-unstable 2.0-unstable-2025-04-16
- nixos-unstable-small 2.0-unstable-2025-04-16

pkgs.haskellPackages.amazonka-iotfleetwise

Amazon IoT FleetWise SDK

nixos-unstable 2.0-unstable-2025-04-16
- nixpkgs-unstable 2.0-unstable-2025-04-16
- nixos-unstable-small 2.0-unstable-2025-04-16

pkgs.python312Packages.mypy-boto3-iotfleethub

Type annotations for boto3 iotfleethub

nixos-unstable boto3-iotfleethub-1.40.17
- nixpkgs-unstable boto3-iotfleethub-1.40.17
- nixos-unstable-small boto3-iotfleethub-1.40.17

pkgs.python313Packages.mypy-boto3-iotfleethub

Type annotations for boto3 iotfleethub

nixos-unstable boto3-iotfleethub-1.40.17
- nixpkgs-unstable boto3-iotfleethub-1.40.17
- nixos-unstable-small boto3-iotfleethub-1.40.17

pkgs.python312Packages.mypy-boto3-iotfleetwise

Type annotations for boto3 iotfleetwise

nixos-unstable boto3-iotfleetwise-1.41.0
- nixpkgs-unstable boto3-iotfleetwise-1.41.0
- nixos-unstable-small boto3-iotfleetwise-1.41.0

pkgs.python313Packages.mypy-boto3-iotfleetwise

Type annotations for boto3 iotfleetwise

nixos-unstable boto3-iotfleetwise-1.41.0
- nixpkgs-unstable boto3-iotfleetwise-1.41.0
- nixos-unstable-small boto3-iotfleetwise-1.41.0

pkgs.home-assistant-component-tests.tesla_fleet

Open source home automation that puts local control and privacy first

nixos-unstable 2025.11.3
- nixpkgs-unstable 2025.11.3
- nixos-unstable-small 2025.11.3

pkgs.python312Packages.types-aiobotocore-iotfleethub

Type annotations for aiobotocore iotfleethub

nixos-unstable 2.24.2
- nixpkgs-unstable 2.24.2
- nixos-unstable-small 2.24.2

pkgs.python313Packages.types-aiobotocore-iotfleethub