プラットフォーム
go
コンポーネント
github.com/fleetdm/fleet/v4
修正版
4.81.1
4.81.0
CVE-2026-34389 is a vulnerability in fleetdm/fleet/v4 that allows attackers to create user accounts using email addresses that do not match the invited email. This lack of email verification during the invitation process enables email spoofing, potentially granting unauthorized access to the system. The vulnerability affects versions of Fleet prior to 4.81.0, and a fix has been released.
The primary impact of CVE-2026-34389 is the potential for unauthorized account creation. An attacker can craft a malicious invitation link using a spoofed email address, bypassing the intended email verification process. Successful exploitation allows the attacker to create a new user account within the Fleet system, effectively gaining access to resources and data controlled by that account. This could lead to data breaches, system compromise, and further lateral movement within the environment. The blast radius depends on the privileges associated with the newly created account.
CVE-2026-34389 was publicly disclosed on 2026-04-02. Currently, there are no publicly available proof-of-concept exploits. The EPSS score is pending evaluation. This vulnerability is not currently listed on the CISA KEV catalog.
Organizations utilizing fleetdm/fleet/v4, particularly those relying on email invitations for user onboarding, are at risk. Shared hosting environments where multiple users share a Fleet instance are also potentially vulnerable, as an attacker could exploit this to create accounts for other users.
disclosure
エクスプロイト状況
EPSS
0.03% (9% パーセンタイル)
CISA SSVC
The recommended mitigation for CVE-2026-34389 is to immediately upgrade Fleet to version 4.81.0 or later, which includes the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing stricter email verification policies within Fleet, if possible. Review existing user accounts for any suspicious activity and consider temporarily disabling the user invitation feature until the upgrade can be completed. After upgrading, confirm the fix by attempting to create a user account with a deliberately spoofed email address; the invitation should fail.
Fleetをバージョン4.81.0以降にアップデートしてください。このバージョンでは、招待フローにおける脆弱性を修正し、招待の承諾時に提供されたメールアドレスを検証します。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-34389 is a vulnerability in fleetdm/fleet/v4 that allows attackers to create user accounts using spoofed email addresses, bypassing email verification.
You are affected if you are using fleetdm/fleet/v4 versions prior to 4.81.0.
Upgrade Fleet to version 4.81.0 or later to mitigate the vulnerability. Consider stricter email verification policies if immediate upgrade is not possible.
There are currently no reports of active exploitation, but the vulnerability is publicly known.
Refer to the fleetdm project's repository and release notes for the official advisory and details on the fix.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。
go.mod ファイルをアップロードすると、影響の有無を即座にお知らせします。