Nixpkgs security tracker

Login with GitHub

Suggestions search

All statuses
Filter by:
With package: fleet

Found 23 matching suggestions

View:
Compact
Detailed
Published
Permalink CVE-2026-22808
updated 5 months ago by @LeSuisse Activity log
  • Created suggestion 5 months ago
  • @LeSuisse ignored
    15 packages
    • fleeting-plugin-aws
    • azure-cli-extensions.fleet
    • python312Packages.tesla-fleet-api
    • python313Packages.tesla-fleet-api
    • haskellPackages.amazonka-iotfleethub
    • haskellPackages.amazonka-iotfleetwise
    • python312Packages.mypy-boto3-iotfleethub
    • python313Packages.mypy-boto3-iotfleethub
    • python312Packages.mypy-boto3-iotfleetwise
    • python313Packages.mypy-boto3-iotfleetwise
    • home-assistant-component-tests.tesla_fleet
    • python312Packages.types-aiobotocore-iotfleethub
    • python313Packages.types-aiobotocore-iotfleethub
    • python312Packages.types-aiobotocore-iotfleetwise
    • python313Packages.types-aiobotocore-iotfleetwise
    5 months ago
  • @LeSuisse deleted maintainer @asauzeau 5 months ago maintainer.delete
  • @LeSuisse added
    6 maintainers
    • @commiterate
    • @dotlambda
    • @fabaff
    • @mweinelt
    • @mbalatsko
    • @katexochen
    5 months ago maintainer.add
  • @LeSuisse ignored package fleetctl 5 months ago
  • @LeSuisse added maintainer @ulrikstrid 5 months ago maintainer.add
  • @LeSuisse accepted 5 months ago
  • @LeSuisse published on GitHub 5 months ago
Fleet Windows MDM endpoint has a Cross-site Scripting vulnerability

fleetdm/fleet is open source device management software. Prior to versions 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, if Windows MDM is enabled, an unauthenticated attacker can exploit this XSS vulnerability to steal a Fleet administrator's authentication token (FLEET::auth_token) from localStorage. This could allow unauthorized access to Fleet, including administrative access, visibility into device data, and modification of configuration. Versions 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 fix the issue. If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM.

Affected products

fleet
  • ==>= 4.78.0, < 4.78.2
  • ==< 4.53.3
  • ==>= 4.77.0, < 4.77.1
  • ==>= 4.76.0, < 4.76.2

Matching in nixpkgs

pkgs.fleet

CLI tool to launch Fleet server

Ignored packages (16)

Package maintainers

Ignored maintainers (1)

Additional maintainers

Upstream advisory: https://github.com/fleetdm/fleet/security/advisories/GHSA-gfpw-jgvr-cw4j
Published
Permalink CVE-2026-23518
updated 5 months ago by @LeSuisse Activity log
  • Created suggestion 5 months ago
  • @LeSuisse ignored
    16 packages
    • fleetctl
    • fleeting-plugin-aws
    • azure-cli-extensions.fleet
    • python312Packages.tesla-fleet-api
    • python313Packages.tesla-fleet-api
    • haskellPackages.amazonka-iotfleethub
    • haskellPackages.amazonka-iotfleetwise
    • python312Packages.mypy-boto3-iotfleethub
    • python313Packages.mypy-boto3-iotfleethub
    • python312Packages.mypy-boto3-iotfleetwise
    • python313Packages.mypy-boto3-iotfleetwise
    • home-assistant-component-tests.tesla_fleet
    • python312Packages.types-aiobotocore-iotfleethub
    • python313Packages.types-aiobotocore-iotfleethub
    • python312Packages.types-aiobotocore-iotfleetwise
    • python313Packages.types-aiobotocore-iotfleetwise
    5 months ago
  • @LeSuisse deleted maintainer @ulrikstrid 5 months ago maintainer.delete
  • @LeSuisse added maintainer @katexochen 5 months ago maintainer.add
  • @LeSuisse deleted maintainer @asauzeau 5 months ago maintainer.delete
  • @LeSuisse added
    5 maintainers
    • @commiterate
    • @dotlambda
    • @fabaff
    • @mweinelt
    • @mbalatsko
    5 months ago maintainer.add
  • @LeSuisse accepted 5 months ago
  • @LeSuisse published on GitHub 5 months ago
Fleet has a JWT signature bypass vulnerability in Azure AD MDM enrollment

Fleet is open source device management software. In versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, a vulnerability in Fleet's Windows MDM enrollment flow could allow an attacker to submit forged authentication tokens that are not properly validated. Because JWT signatures were not verified, Fleet could accept attacker-controlled identity claims, enabling enrollment of unauthorized devices under arbitrary Azure AD user identities. Versions 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 fix the issue. If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM.

Affected products

fleet
  • ==>= 4.75.0, < 4.75.2
  • ==>= 4.76.0, < 4.76.2
  • ==< 4.53.3
  • ==>= 4.78.0, < 4.78.3
  • ==>= 4.77.0, < 4.77.1

Matching in nixpkgs

pkgs.fleet

CLI tool to launch Fleet server

Ignored packages (16)

Package maintainers

Ignored maintainers (1)

Additional maintainers

Upstream advisory: https://github.com/fleetdm/fleet/security/advisories/GHSA-63m5-974w-448v
Published
Permalink CVE-2026-23517
updated 5 months ago by @LeSuisse Activity log
  • Created suggestion 5 months ago
  • @LeSuisse ignored
    4 packages
    • fleetctl
    • fleeting-plugin-aws
    • python313Packages.types-aiobotocore-iotfleetwise
    • python312Packages.types-aiobotocore-iotfleetwise
    5 months ago
  • @LeSuisse deleted
    3 maintainers
    • @katexochen
    • @ulrikstrid
    • @asauzeau
    5 months ago maintainer.delete
  • @LeSuisse added maintainer @commiterate 5 months ago maintainer.add
  • @LeSuisse deleted
    4 maintainers
    • @dotlambda
    • @fabaff
    • @mweinelt
    • @mbalatsko
    5 months ago maintainer.delete
  • @LeSuisse ignored
    12 packages
    • python313Packages.types-aiobotocore-iotfleethub
    • python312Packages.types-aiobotocore-iotfleethub
    • home-assistant-component-tests.tesla_fleet
    • python313Packages.mypy-boto3-iotfleetwise
    • python312Packages.mypy-boto3-iotfleetwise
    • python313Packages.mypy-boto3-iotfleethub
    • python312Packages.mypy-boto3-iotfleethub
    • haskellPackages.amazonka-iotfleetwise
    • haskellPackages.amazonka-iotfleethub
    • python313Packages.tesla-fleet-api
    • python312Packages.tesla-fleet-api
    • azure-cli-extensions.fleet
    5 months ago
  • @LeSuisse deleted maintainer @commiterate 5 months ago maintainer.delete
  • @LeSuisse accepted 5 months ago
  • @LeSuisse published on GitHub 5 months ago
Fleet has an Access Control vulnerability in debug/pprof endpoints

Fleet is open source device management software. A broken access control issue in versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 allowed authenticated users to access debug and profiling endpoints regardless of role. As a result, low-privilege users could view internal server diagnostics and trigger resource-intensive profiling operations. Fleet’s debug/pprof endpoints are accessible to any authenticated user regardless of role, including the lowest-privilege “Observer” role. This allows low-privilege users to access sensitive server internals, including runtime profiling data and in-memory application state, and to trigger CPU-intensive profiling operations that could lead to denial of service. Versions 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 fix the issue. If an immediate upgrade is not possible, users should put the debug/pprof endpoints behind an IP allowlist as a workaround.

Affected products

fleet
  • ==>= 4.75.0, < 4.75.2
  • ==>= 4.76.0, < 4.76.2
  • ==< 4.53.3
  • ==>= 4.78.0, < 4.78.3
  • ==>= 4.77.0, < 4.77.1

Matching in nixpkgs

pkgs.fleet

CLI tool to launch Fleet server

Ignored packages (16)

Package maintainers

Ignored maintainers (1) 
Upstream advisory: https://github.com/fleetdm/fleet/security/advisories/GHSA-4r5r-ccr6-q6f6