CVE-2026-24004

{"id": "CVE-2026-24004", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 1.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "UNREPORTED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-26T03:16:04.183", "references": [{"url": "https://github.com/fleetdm/fleet/security/advisories/GHSA-9pm7-6g36-6j78", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "Fleet is open source device management software. In versions prior to 4.80.1, a vulnerability in Fleet\u2019s Android MDM Pub/Sub handling could allow unauthenticated requests to trigger device unenrollment events. This may result in unauthorized removal of individual Android devices from Fleet management. If Android MDM is enabled, an attacker could send a crafted request to the Android Pub/Sub endpoint to unenroll a targeted Android device from Fleet without authentication. This issue does not grant access to Fleet, allow execution of commands, or provide visibility into device data. Impact is limited to disruption of Android device management for the affected device. Version 4.80.1 fixes the issue. If an immediate upgrade is not possible, affected Fleet users should temporarily disable Android MDM."}, {"lang": "es", "value": "Fleet es un software de gesti\u00f3n de dispositivos de c\u00f3digo abierto. En versiones anteriores a la 4.80.1, una vulnerabilidad en el manejo de Pub/Sub de MDM de Android de Fleet podr\u00eda permitir que solicitudes no autenticadas desencadenen eventos de desinscripci\u00f3n de dispositivos. Esto puede resultar en la eliminaci\u00f3n no autorizada de dispositivos Android individuales de la gesti\u00f3n de Fleet. Si el MDM de Android est\u00e1 habilitado, un atacante podr\u00eda enviar una solicitud manipulada al endpoint de Pub/Sub de Android para desinscribir un dispositivo Android objetivo de Fleet sin autenticaci\u00f3n. Este problema no otorga acceso a Fleet, no permite la ejecuci\u00f3n de comandos ni proporciona visibilidad de los datos del dispositivo. El impacto se limita a la interrupci\u00f3n de la gesti\u00f3n de dispositivos Android para el dispositivo afectado. La versi\u00f3n 4.80.1 corrige el problema. Si una actualizaci\u00f3n inmediata no es posible, los usuarios afectados de Fleet deber\u00edan deshabilitar temporalmente el MDM de Android."}], "lastModified": "2026-03-02T15:49:08.590", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:fleetdm:fleet:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A1490125-39FE-4B90-AC5F-62B26ED3C509", "versionEndExcluding": "4.80.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}