GHSA-9pm7-6g36-6j78
Suggest an improvement- Source
- https://github.com/advisories/GHSA-9pm7-6g36-6j78
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-9pm7-6g36-6j78/GHSA-9pm7-6g36-6j78.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-9pm7-6g36-6j78
- Aliases
-
- CVE-2026-24004
- Published
- 2026-02-26T19:38:56Z
- Modified
- 2026-02-26T23:53:44.413362Z
- Severity
-
- 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L CVSS Calculator
- Summary
- Fleet: Unauthenticated Android device disenrollment vulnerability via Pub/Sub endpoint
- Details
-
Summary
A vulnerability in Fleet’s Android MDM Pub/Sub handling could allow unauthenticated requests to trigger device unenrollment events. This may result in unauthorized removal of individual Android devices from Fleet management.
Impact
If Android MDM is enabled, an attacker could send a crafted request to the Android Pub/Sub endpoint to unenroll a targeted Android device from Fleet without authentication.
This issue does not grant access to Fleet, allow execution of commands, or provide visibility into device data. Impact is limited to disruption of Android device management for the affected device.
Workarounds
If an immediate upgrade is not possible, affected Fleet users should temporarily disable Android MDM.
For more information
If there any questions or comments about this advisory:
Email Fleet at security@fleetdm.com Join #fleet in osquery Slack
Credits
Fleet thanks @secfox-ai for responsibly reporting this issue.
- Database specific
{ "github_reviewed": true, "cwe_ids": [ "CWE-306", "CWE-862" ], "github_reviewed_at": "2026-02-26T19:38:56Z", "nvd_published_at": "2026-02-26T03:16:04Z", "severity": "MODERATE" }- References
Affected packages
Go / github.com/fleetdm/fleet/v4
Package
- Name
- github.com/fleetdm/fleet/v4
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/fleetdm/fleet/v4