CVE-2026-23518 Overview
Fleet is an open source device management software platform used for managing and monitoring devices across an organization. A critical authentication bypass vulnerability exists in Fleet's Windows MDM (Mobile Device Management) enrollment flow where JWT (JSON Web Token) signatures are not properly validated. This allows attackers to submit forged authentication tokens with arbitrary identity claims, enabling enrollment of unauthorized devices under arbitrary Azure AD user identities.
Critical Impact
Attackers can bypass authentication by submitting forged JWT tokens, enabling unauthorized device enrollment under any Azure AD user identity without proper verification.
Affected Products
- Fleet versions prior to 4.78.3
- Fleet versions prior to 4.77.1
- Fleet versions prior to 4.76.2
- Fleet versions prior to 4.75.2
- Fleet versions prior to 4.53.3
Discovery Timeline
- 2026-01-21 - CVE CVE-2026-23518 published to NVD
- 2026-01-21 - Last updated in NVD database
Technical Details for CVE-2026-23518
Vulnerability Analysis
This vulnerability is classified under CWE-347 (Improper Verification of Cryptographic Signature), representing a fundamental authentication bypass flaw. The issue stems from Fleet's failure to verify JWT token signatures during the Windows MDM enrollment process.
During normal MDM enrollment, devices authenticate using JWT tokens that contain identity claims from Azure AD. These tokens are cryptographically signed to ensure their authenticity and integrity. However, in vulnerable Fleet versions, the signature verification step was not implemented, meaning the application would accept any JWT token regardless of whether it was legitimately signed by Azure AD.
This allows an attacker to craft arbitrary JWT tokens with any identity claims they choose. Since the signature is never checked, Fleet accepts these forged tokens as legitimate, granting the attacker the ability to enroll devices under any Azure AD user identity within the organization.
Root Cause
The root cause is the missing implementation of JWT signature verification in Fleet's Windows MDM enrollment authentication handler. The code path responsible for processing enrollment requests accepted JWT tokens at face value without cryptographically validating that they originated from a trusted identity provider (Azure AD). This oversight allowed attacker-controlled identity claims to be trusted implicitly.
Attack Vector
The attack vector is network-based with no authentication required. An attacker with network access to the Fleet server can exploit this vulnerability by:
- Crafting a malicious JWT token containing arbitrary Azure AD user identity claims
- Submitting the forged token to Fleet's Windows MDM enrollment endpoint
- Successfully enrolling an unauthorized device under the spoofed identity
Since no user interaction is required and the complexity is low, this attack can be executed remotely against any exposed Fleet instance running vulnerable versions. The attacker gains the ability to enroll rogue devices that appear to belong to legitimate organizational users, potentially enabling further lateral movement or data exfiltration.
Detection Methods for CVE-2026-23518
Indicators of Compromise
- Unexpected device enrollments in Fleet MDM that do not correspond to legitimate provisioning activities
- Enrollment events from IP addresses or geographic locations inconsistent with known corporate infrastructure
- Multiple device enrollments associated with a single user account in a short timeframe
- Device enrollments occurring outside normal business hours or provisioning windows
Detection Strategies
- Review Fleet MDM enrollment logs for anomalous device registration patterns
- Cross-reference enrolled device identities with Azure AD to identify any discrepancies
- Monitor network traffic to Fleet's MDM enrollment endpoints for unusual request volumes or patterns
- Implement alerting on device enrollments that bypass standard provisioning workflows
Monitoring Recommendations
- Enable detailed audit logging for all MDM enrollment activities in Fleet
- Set up SIEM correlation rules to detect enrollment attempts from untrusted networks
- Periodically audit the enrolled device inventory against expected organizational assets
- Monitor Azure AD sign-in logs for authentication events that don't correlate with Fleet enrollments
How to Mitigate CVE-2026-23518
Immediate Actions Required
- Upgrade Fleet to one of the patched versions: 4.78.3, 4.77.1, 4.76.2, 4.75.2, or 4.53.3
- If immediate upgrade is not possible, temporarily disable Windows MDM functionality
- Audit existing enrolled devices to identify any potentially unauthorized enrollments
- Review MDM enrollment logs for signs of exploitation
Patch Information
Fleet has released patched versions that properly verify JWT signatures during the Windows MDM enrollment process. The fix is available in versions 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3. Organizations should upgrade to the appropriate patched version based on their current release branch.
For technical details on the fix, refer to the GitHub Commit Change and the GitHub Security Advisory GHSA-63m5-974w-448v.
Workarounds
- Disable Windows MDM enrollment in Fleet until an upgrade can be performed
- Restrict network access to Fleet's MDM enrollment endpoints using firewall rules
- Implement network segmentation to limit exposure of the Fleet server to trusted networks only
- Use a web application firewall (WAF) to add an additional layer of authentication validation
# Temporary workaround: Disable Windows MDM in Fleet configuration
# Add or modify in fleet.yml configuration file
mdm:
windows:
enabled: false
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
