Platform
go
Component
github.com/fleetdm/fleet/v4
Fixed in
4.81.1
4.81.0
CVE-2026-34389 is a vulnerability in fleetdm/fleet/v4 that allows attackers to create user accounts using email addresses that do not match the invited email. This lack of email verification during the invitation process enables email spoofing, potentially granting unauthorized access to the system. The vulnerability affects versions of Fleet prior to 4.81.0, and a fix has been released.
The primary impact of CVE-2026-34389 is the potential for unauthorized account creation. An attacker can craft a malicious invitation link using a spoofed email address, bypassing the intended email verification process. Successful exploitation allows the attacker to create a new user account within the Fleet system, effectively gaining access to resources and data controlled by that account. This could lead to data breaches, system compromise, and further lateral movement within the environment. The blast radius depends on the privileges associated with the newly created account.
CVE-2026-34389 was publicly disclosed on 2026-04-02. Currently, there are no publicly available proof-of-concept exploits. The EPSS score is pending evaluation. This vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
The recommended mitigation for CVE-2026-34389 is to immediately upgrade Fleet to version 4.81.0 or later, which includes the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing stricter email verification policies within Fleet, if possible. Review existing user accounts for any suspicious activity and consider temporarily disabling the user invitation feature until the upgrade can be completed. After upgrading, confirm the fix by attempting to create a user account with a deliberately spoofed email address; the invitation should fail.
Update Fleet to version 4.81.0 or higher. This version fixes the vulnerability in the user invitation flow, validating the email address provided during invitation acceptance.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34389 is a vulnerability in fleetdm/fleet/v4 that allows attackers to create user accounts using spoofed email addresses, bypassing email verification.
You are affected if you are using fleetdm/fleet/v4 versions prior to 4.81.0.
Upgrade Fleet to version 4.81.0 or later to mitigate the vulnerability. Consider stricter email verification policies if immediate upgrade is not possible.
There are currently no reports of active exploitation, but the vulnerability is publicly known.
Refer to the fleetdm project's repository and release notes for the official advisory and details on the fix.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.