CVE-2026-26061

HIGH

Fleet's unbounded request body read allows remote Denial of Service

Title source: cna

Description

Fleet is open source device management software. Prior to 4.81.0, Fleet contained multiple unauthenticated HTTP endpoints that read request bodies without enforcing a size limit. An unauthenticated attacker could exploit this behavior by sending large or repeated HTTP payloads, causing excessive memory allocation and resulting in a denial-of-service (DoS) condition. Version 4.81.0 patches the issue.

References (1)

[X_Refsource_Confirm] https://github.com/fleetdm/fleet/security/advisories/GHSA-99hj-44vg-hfcp

Scores

CVSS v3 7.5

EPSS 0.0006

EPSS Percentile 19.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-770

Status published

Products (2)

fleetdm/fleet < 4.81.0 (2 CPE variants)

fleetdm/fleet 0 - 4.43.5-0.20260113202849-bbc1aef2987dGo

Published Mar 27, 2026

Tracked Since Mar 29, 2026