CVE-2026-26060 | THREATINT

Description

Fleet is open source device management software. Prior to 4.81.0, a vulnerability in Fleet’s password management logic could allow previously issued password reset tokens to remain valid after a user changes their password. As a result, a stale password reset token could be reused to reset the account password even after a defensive password change. Version 4.81.0 patches the issue.

PUBLISHED Reserved 2026-02-10 | Published 2026-03-27 | Updated 2026-03-27 | Assigner GitHub_M

MEDIUM: 6.0CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-613: Insufficient Session Expiration

Product status

< 4.81.0

affected

References

github.com/.../fleet/security/advisories/GHSA-3458-r943-hmx4

cve.org (CVE-2026-26060)

nvd.nist.gov (CVE-2026-26060)

Download JSON