平台
go
组件
github.com/fleetdm/fleet/v4
修复版本
4.81.1
4.81.0
CVE-2026-34389 is a vulnerability in fleetdm/fleet/v4 that allows attackers to create user accounts using email addresses that do not match the invited email. This lack of email verification during the invitation process enables email spoofing, potentially granting unauthorized access to the system. The vulnerability affects versions of Fleet prior to 4.81.0, and a fix has been released.
The primary impact of CVE-2026-34389 is the potential for unauthorized account creation. An attacker can craft a malicious invitation link using a spoofed email address, bypassing the intended email verification process. Successful exploitation allows the attacker to create a new user account within the Fleet system, effectively gaining access to resources and data controlled by that account. This could lead to data breaches, system compromise, and further lateral movement within the environment. The blast radius depends on the privileges associated with the newly created account.
CVE-2026-34389 was publicly disclosed on 2026-04-02. Currently, there are no publicly available proof-of-concept exploits. The EPSS score is pending evaluation. This vulnerability is not currently listed on the CISA KEV catalog.
Organizations utilizing fleetdm/fleet/v4, particularly those relying on email invitations for user onboarding, are at risk. Shared hosting environments where multiple users share a Fleet instance are also potentially vulnerable, as an attacker could exploit this to create accounts for other users.
disclosure
漏洞利用状态
EPSS
0.03% (9% 百分位)
CISA SSVC
The recommended mitigation for CVE-2026-34389 is to immediately upgrade Fleet to version 4.81.0 or later, which includes the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing stricter email verification policies within Fleet, if possible. Review existing user accounts for any suspicious activity and consider temporarily disabling the user invitation feature until the upgrade can be completed. After upgrading, confirm the fix by attempting to create a user account with a deliberately spoofed email address; the invitation should fail.
将 Fleet 更新到 4.81.0 或更高版本。此版本修复了用户邀请流程中的漏洞,验证了接受邀请时提供的电子邮件地址。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-34389 is a vulnerability in fleetdm/fleet/v4 that allows attackers to create user accounts using spoofed email addresses, bypassing email verification.
You are affected if you are using fleetdm/fleet/v4 versions prior to 4.81.0.
Upgrade Fleet to version 4.81.0 or later to mitigate the vulnerability. Consider stricter email verification policies if immediate upgrade is not possible.
There are currently no reports of active exploitation, but the vulnerability is publicly known.
Refer to the fleetdm project's repository and release notes for the official advisory and details on the fix.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。
上传你的 go.mod 文件,立即知道是否受影响。