Auth bypass in Fleetdm Fleet

CVE-2026-34389

Fleet is open source device management software. Prior to 4.81.0, Fleet contained an issue in the user invitation flow where the email address provided during invite acceptance was not validated against the email address associated with th…

Vulnerability class: Broken Authentication

EPSS: 0.000 (12.9th percentile) — read the EPSS interpretation.

Affected products

Fleetdm Fleet — versions < 4.81.0

Weakness classification (CWE)

CWE-287 — Improper Authentication

References

https://github.com/fleetdm/fleet/security/advisories/GHSA-4f9r-x588-pp2h (x_refsource_CONFIRM)