CVE-2026-34389

EPSS 0.18%
Veröffentlicht 27.03.2026 19:18:19
Zuletzt bearbeitet 02.04.2026 19:41:09
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Fleet's user account creation via invite does not enforce invited email address

Fleet is open source device management software. Prior to 4.81.0, Fleet contained an issue in the user invitation flow where the email address provided during invite acceptance was not validated against the email address associated with the invite. An attacker who obtained a valid invite token could create an account under an arbitrary email address while inheriting the role granted by the invite, including global admin. Version 4.81.0 patches the issue.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Fleetdm ≫ Fleet Version < 4.81.1

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.18%	0.081

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
security-advisories@github.com	4.9	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

https://github.com/fleetdm/fleet/security/advisories/GHSA-4f9r-x588-pp2h

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-34389

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-34389

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-34389

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-34389