CVE-2026-22808 MEDIUM

CVE-2026-22808: Fleet Windows MDM endpoint has a Cross-site Scripting vulnerability

Vendor Fleetdm
Product fleet
Weakness CWE-79 · XSS
Published January 21, 2026
Last update January 22, 2026

CVSS base score

5.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H

What the vulnerability does

01Description

fleetdm/fleet is open source device management software. Prior to versions 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, if Windows MDM is enabled, an unauthenticated attacker can exploit this XSS vulnerability to steal a Fleet administrator's authentication token (FLEET::auth_token) from localStorage. This could allow unauthorized access to Fleet, including administrative access, visibility into device data, and modification of configuration. Versions 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 fix the issue. If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM.

Key dates

02Disclosure timeline

January 21, 2026 CVE published
January 22, 2026 Record updated

Related vulnerabilities

04Related CVE