fleetdm fleet up to 4.80.0 Batch Deletion Endpoint authorization

Summaryinfo

A vulnerability, which was classified as problematic, was found in fleetdm fleet up to 4.80.0. Affected by this vulnerability is an unknown functionality of the component Batch Deletion Endpoint. Such manipulation leads to authorization. This vulnerability is referenced as CVE-2026-25963. It is possible to launch the attack remotely. No exploit is available. You should upgrade the affected component.

Detailsinfo

A vulnerability was found in fleetdm fleet up to 4.80.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the component Batch Deletion Endpoint. The manipulation with an unknown input leads to a authorization vulnerability. Using CWE to declare the problem leads to CWE-863. The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions. Impacted is integrity. CVE summarizes:

Fleet is open source device management software. In versions prior to 4.80.1, a broken authorization check in Fleet’s certificate template deletion API could allow a team administrator to delete certificate templates belonging to other teams within the same Fleet instance. Fleet supports certificate templates that are scoped to individual teams. In affected versions, the batch deletion endpoint validated authorization using a user-supplied team identifier but did not verify that the certificate template IDs being deleted actually belonged to that team. As a result, a team administrator could delete certificate templates associated with other teams, potentially disrupting certificate-based workflows such as device enrollment, Wi-Fi authentication, VPN access, or other certificate-dependent configurations for the affected teams. This issue does not allow privilege escalation, access to sensitive data, or compromise of Fleet’s control plane. Impact is limited to integrity and availability of certificate templates across teams. Version 4.80.1 patches the issue. If an immediate upgrade is not possible, administrators should restrict access to certificate template management to trusted users and avoid delegating team administrator permissions where not strictly required.

The advisory is available at github.com. This vulnerability is handled as CVE-2026-25963 since 02/09/2026. The exploitation is known to be easy. The attack may be launched remotely. The exploitation requires an enhanced level of successful authentication. The technical details are unknown and an exploit is not available.

Upgrading to version 4.80.1 eliminates this vulnerability.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Productinfo

Vendor

• fleetdm

Name

• fleet

Version

• 4.0
• 4.1
• 4.2
• 4.3
• 4.4
• 4.5
• 4.6
• 4.7
• 4.8
• 4.9
• 4.10
• 4.11
• 4.12
• 4.13
• 4.14
• 4.15
• 4.16
• 4.17
• 4.18
• 4.19
• 4.20
• 4.21
• 4.22
• 4.23
• 4.24
• 4.25
• 4.26
• 4.27
• 4.28
• 4.29
• 4.30
• 4.31
• 4.32
• 4.33
• 4.34
• 4.35
• 4.36
• 4.37
• 4.38
• 4.39
• 4.40
• 4.41
• 4.42
• 4.43
• 4.44
• 4.45
• 4.46
• 4.47
• 4.48
• 4.49
• 4.50
• 4.51
• 4.52
• 4.53
• 4.54
• 4.55
• 4.56
• 4.57
• 4.58
• 4.59
• 4.60
• 4.61
• 4.62
• 4.63
• 4.64
• 4.65
• 4.66
• 4.67
• 4.68
• 4.69
• 4.70
• 4.71
• 4.72
• 4.73
• 4.74
• 4.75
• 4.76
• 4.77
• 4.78
• 4.79
• 4.80.0

Website

• Product: https://github.com/fleetdm/fleet/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Discussion