CVE-2026-26061 HIGH

CVE-2026-26061: Fleet's unbounded request body read allows remote Denial of Service

Vendor Fleetdm
Product fleet
Weakness CWE-770 · Uncontrolled resource consumption
Published March 27, 2026
Last update March 31, 2026

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Fleet is open source device management software. Prior to 4.81.0, Fleet contained multiple unauthenticated HTTP endpoints that read request bodies without enforcing a size limit. An unauthenticated attacker could exploit this behavior by sending large or repeated HTTP payloads, causing excessive memory allocation and resulting in a denial-of-service (DoS) condition. Version 4.81.0 patches the issue.

Key dates

02Disclosure timeline

March 27, 2026 CVE published
March 31, 2026 Record updated