CVE-2026-22808

Date: January 21, 2026

Impact If Windows MDM is enabled, an attacker could exploit a cross-site scripting (XSS) vulnerability by convincing an authenticated Fleet user to visit a malicious link. Successful exploitation could allow retrieval of the user’s Fleet authentication token from their browser. A compromised authentication token may grant administrative access to the Fleet API, allowing an attacker to perform privileged actions such as deploying scripts to managed hosts. This issue does not allow unauthenticated access and does not affect instances where Windows MDM is disabled. Patches - 4.78.2 - 4.77.1 - 4.76.2 - 4.75.2 - 4.53.3 Workarounds If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM. For more information If you have any questions or comments about this advisory: Email us at "security@fleetdm.com" (mailto:security@fleetdm.com) Join #fleet in "osquery Slack" (https://join.slack.com/t/osquery/shared_invite/zt-h29zm0gk-s2DBtGUTW4CFel0f0IjTEw)