Plateforme
go
Composant
github.com/fleetdm/fleet/v4
Corrigé dans
4.81.1
4.81.0
CVE-2026-34389 is a vulnerability in fleetdm/fleet/v4 that allows attackers to create user accounts using email addresses that do not match the invited email. This lack of email verification during the invitation process enables email spoofing, potentially granting unauthorized access to the system. The vulnerability affects versions of Fleet prior to 4.81.0, and a fix has been released.
The primary impact of CVE-2026-34389 is the potential for unauthorized account creation. An attacker can craft a malicious invitation link using a spoofed email address, bypassing the intended email verification process. Successful exploitation allows the attacker to create a new user account within the Fleet system, effectively gaining access to resources and data controlled by that account. This could lead to data breaches, system compromise, and further lateral movement within the environment. The blast radius depends on the privileges associated with the newly created account.
CVE-2026-34389 was publicly disclosed on 2026-04-02. Currently, there are no publicly available proof-of-concept exploits. The EPSS score is pending evaluation. This vulnerability is not currently listed on the CISA KEV catalog.
Organizations utilizing fleetdm/fleet/v4, particularly those relying on email invitations for user onboarding, are at risk. Shared hosting environments where multiple users share a Fleet instance are also potentially vulnerable, as an attacker could exploit this to create accounts for other users.
disclosure
Statut de l'Exploit
EPSS
0.03% (percentile 9%)
CISA SSVC
The recommended mitigation for CVE-2026-34389 is to immediately upgrade Fleet to version 4.81.0 or later, which includes the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing stricter email verification policies within Fleet, if possible. Review existing user accounts for any suspicious activity and consider temporarily disabling the user invitation feature until the upgrade can be completed. After upgrading, confirm the fix by attempting to create a user account with a deliberately spoofed email address; the invitation should fail.
Mettez à jour Fleet à la version 4.81.0 ou supérieure. Cette version corrige la vulnérabilité dans le flux d'invitation d'utilisateurs, en validant l'adresse e-mail fournie lors de l'acceptation de l'invitation.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-34389 is a vulnerability in fleetdm/fleet/v4 that allows attackers to create user accounts using spoofed email addresses, bypassing email verification.
You are affected if you are using fleetdm/fleet/v4 versions prior to 4.81.0.
Upgrade Fleet to version 4.81.0 or later to mitigate the vulnerability. Consider stricter email verification policies if immediate upgrade is not possible.
There are currently no reports of active exploitation, but the vulnerability is publicly known.
Refer to the fleetdm project's repository and release notes for the official advisory and details on the fix.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier go.mod et nous te dirons instantanément si tu es affecté.