CVE-2026-27465 in fleet
Summary
by MITRE • 02/26/2026
Fleet is open source device management software. In versions prior to 4.80.1, a vulnerability in Fleet’s configuration API could expose Google Calendar service account credentials to authenticated users with low-privilege roles. This may allow unauthorized access to Google Calendar resources associated with the service account. Fleet returns configuration data through an API endpoint that is accessible to authenticated users, including those with the lowest-privilege “Observer” role. In affected versions, Google Calendar service account credentials were not properly obfuscated before being returned. As a result, a low-privilege user could retrieve the service account’s private key material. Depending on how the Google Calendar integration is configured, this could allow unauthorized access to calendar data or other Google Workspace resources associated with the service account. This issue does not allow escalation of privileges within Fleet or access to device management functionality. Version 4.80.1 patches the issue. If an immediate upgrade is not possible, administrators should remove the Google Calendar integration from Fleet and rotate the affected Google service account credentials.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/03/2026
The vulnerability identified as CVE-2026-27465 affects Fleet, an open source device management platform that enables organizations to manage and secure their endpoint devices. This security flaw resides within Fleet's configuration API and specifically impacts versions prior to 4.80.1, creating a significant risk for organizations that utilize Google Calendar integration within their Fleet deployments. The vulnerability stems from improper handling of sensitive credential data within the API response structure, which violates fundamental security principles of least privilege and proper data sanitization. Organizations relying on Fleet for device management may find their Google Workspace environment exposed to unauthorized access through this configuration flaw.
The technical implementation of this vulnerability involves the configuration API endpoint returning unredacted Google Calendar service account credentials to authenticated users, including those with the lowest privilege level known as "Observer" role. This represents a critical failure in access control and data protection mechanisms, as the system fails to properly obfuscate or remove sensitive credential information from API responses. The flaw specifically affects the private key material associated with Google Calendar service accounts, which when exposed to unauthorized users can provide direct access to calendar data and potentially other Google Workspace resources that the service account has permissions to access. This behavior aligns with CWE-200, which addresses improper exposure of sensitive information, and demonstrates a clear breakdown in the principle of least privilege enforcement. The vulnerability operates at the application layer and exploits the API's response handling mechanisms rather than targeting network protocols or system-level vulnerabilities.
The operational impact of this vulnerability extends beyond simple credential exposure, as it enables unauthorized access to calendar data and related Google Workspace resources that the compromised service account can access. An attacker with an Observer role account could potentially read, modify, or delete calendar entries, access sensitive meeting information, and potentially escalate their access further within the Google Workspace environment if the service account has broader permissions. This vulnerability specifically enables data exfiltration and unauthorized access patterns that could compromise organizational data integrity and confidentiality. The attack vector requires only authentication to the Fleet platform with minimal privileges, making it particularly dangerous as it can be exploited by users who should normally have limited access to the system. This scenario represents a classic case of information disclosure vulnerability that can be leveraged for broader security incidents within the affected organization's cloud infrastructure.
Organizations should immediately implement the remediation measures specified in Fleet version 4.80.1, which properly addresses the credential exposure issue through enhanced API response sanitization and proper access control enforcement. For environments where immediate upgrade is not feasible, administrators must take immediate action to remove the Google Calendar integration from Fleet configuration and rotate all affected Google service account credentials to prevent further exposure. The mitigation strategy should also include monitoring for unauthorized access attempts and implementing additional controls such as API rate limiting and enhanced logging to detect potential exploitation attempts. This vulnerability highlights the importance of proper credential management and API security practices, aligning with ATT&CK technique T1566 for credential access and T1071 for application layer protocols. Organizations should also consider implementing automated scanning tools to identify similar credential exposure issues in other applications and services within their environment, as this represents a common pattern of security misconfigurations in enterprise software platforms.