Vulnerabilities
Projects
Vulnerability Disclosure
About Us
Contact Us
Mend.io Vulnerability Database
What is a WS vulnerability ID?
What is an MSC vulnerability ID?
We found results for “”
CVE-2026-23518
Good to know:
Date: January 21, 2026
Impact If Windows MDM is enabled, an attacker can enroll rogue devices by submitting a forged JWT containing arbitrary identity claims. Due to missing JWT signature verification, Fleet accepts these claims without validating that the token was issued by Azure AD, allowing enrollment under any Azure AD user identity. Patches - 4.78.3 - 4.77.1 - 4.76.2 - 4.75.2 - 4.53.3 Workarounds If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM. For more information If you have any questions or comments about this advisory: Email us at "security@fleetdm.com" (mailto:security@fleetdm.com) Join #fleet in "osquery Slack" (https://join.slack.com/t/osquery/shared_invite/zt-h29zm0gk-s2DBtGUTW4CFel0f0IjTEw)
Severity Score
Related Resources (5)
Severity Score
Weakness Type (CWE)
Improper Verification of Cryptographic Signature
CWE-347Top Fix
Upgrade Version
Upgrade to version github.com/fleetdm/fleet - v4.78.3;github.com/fleetdm/fleet - v4.77.1;github.com/fleetdm/fleet - v4.76.2;github.com/fleetdm/fleet - v4.75.2;https://github.com/fleetdm/fleet.git - v4.78.3;https://github.com/fleetdm/fleet.git - v4.77.1;https://github.com/fleetdm/fleet.git - v4.76.2;https://github.com/fleetdm/fleet.git - v4.75.2
CVSS v3.1
| Base Score: |
|
|---|---|
| Attack Vector (AV): | NETWORK |
| Attack Complexity (AC): | LOW |
| Privileges Required (PR): | NONE |
| User Interaction (UI): | NONE |
| Scope (S): | UNCHANGED |
| Confidentiality (C): | HIGH |
| Integrity (I): | HIGH |
| Availability (A): | HIGH |