Vulnerabilities
Projects
Vulnerability Disclosure
About Us
Contact Us
Mend.io Vulnerability Database
What is a WS vulnerability ID?
What is an MSC vulnerability ID?
We found results for “”
CVE-2026-23517
Good to know:
Date: January 21, 2026
Impact Fleet’s debug/pprof endpoints are accessible to any authenticated user regardless of role, including the lowest-privilege “Observer” role. This allows low-privilege users to access sensitive server internals, including runtime profiling data and in-memory application state, and to trigger CPU-intensive profiling operations that could lead to denial of service. Patches - 4.78.3 - 4.77.1 - 4.76.2 - 4.75.2 - 4.53.3 Workarounds If an immediate upgrade is not possible, users should put the debug/pprof endpoints behind an IP allowlist. For more information If you have any questions or comments about this advisory: Email us at "security@fleetdm.com" (mailto:security@fleetdm.com) Join #fleet in "osquery Slack" (https://join.slack.com/t/osquery/shared_invite/zt-h29zm0gk-s2DBtGUTW4CFel0f0IjTEw)
Severity Score
Related Resources (5)
Severity Score
Top Fix
Upgrade Version
Upgrade to version github.com/fleetdm/fleet - v4.78.3;github.com/fleetdm/fleet - v4.77.1;github.com/fleetdm/fleet - v4.76.2;github.com/fleetdm/fleet - v4.75.2;https://github.com/fleetdm/fleet.git - v4.78.3;https://github.com/fleetdm/fleet.git - v4.75.2;https://github.com/fleetdm/fleet.git - v4.76.2;https://github.com/fleetdm/fleet.git - v4.77.1;https://github.com/fleetdm/fleet.git - v4.53.3
CVSS v3.1
| Base Score: |
|
|---|---|
| Attack Vector (AV): | NETWORK |
| Attack Complexity (AC): | LOW |
| Privileges Required (PR): | LOW |
| User Interaction (UI): | NONE |
| Scope (S): | UNCHANGED |
| Confidentiality (C): | HIGH |
| Integrity (I): | HIGH |
| Availability (A): | HIGH |