CVE-2026-26060

HIGH

Fleet: Password reset tokens remain valid after password change for 24 hours

Title source: cna

Description

Fleet is open source device management software. Prior to 4.81.0, a vulnerability in Fleet’s password management logic could allow previously issued password reset tokens to remain valid after a user changes their password. As a result, a stale password reset token could be reused to reset the account password even after a defensive password change. Version 4.81.0 patches the issue.

References (1)

[X_Refsource_Confirm] https://github.com/fleetdm/fleet/security/advisories/GHSA-3458-r943-hmx4

Scores

CVSS v3 8.8

EPSS 0.0005

EPSS Percentile 16.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-613

Status published

Products (2)

fleetdm/fleet < 4.81.0 (2 CPE variants)

fleetdm/fleet 0 - 4.43.5-0.20260113202849-bbc1aef2987dGo

Published Mar 27, 2026

Tracked Since Mar 29, 2026