CVE-2026-26061
Aliases:GHSA-99hj-44vg-hfcpGO-2026-4889
Advisory lineage Upstream: 0 Downstream: 1
Downstream
Analyzed
Published: 27 Mar 2026, 18:23
Last modified:31 Mar 2026, 13:38
Vulnerability Summary
Overall Risk (default)
medium
35/100 CVSS Score
8.7 HIGH
v4.0 (cve.org)
EPSS Score
0.02% LOW
0% probability -0.04%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
27 Mar 2026, 18:23
Published
Vulnerability first disclosed
31 Mar 2026, 13:38
Last Modified
Vulnerability information updated
Description
Fleet is open source device management software. Prior to 4.81.0, Fleet contained multiple unauthenticated HTTP endpoints that read request bodies without enforcing a size limit. An unauthenticated attacker could exploit this behavior by sending large or repeated HTTP payloads, causing excessive memory allocation and resulting in a denial-of-service (DoS) condition. Version 4.81.0 patches the issue.
CVSS Metrics
- v4.0•HIGH•Score: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
- v4.0•HIGH•Score: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Trends
Current EPSS score: 0.02%• Percentile: 6%
Techniques & Countermeasures
- CWE-770•Allocation of Resources Without Limits or Throttling
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Affected Systems
- fleetdm•fleet
< 4.81.0
- github.com/fleetdm/fleet•v4
< 4.43.5-0.20260113202849-bbc1aef2987d | all