CVE-2026-24004 Overview
Fleet is open source device management software. A vulnerability in Fleet's Android MDM Pub/Sub handling allows unauthenticated requests to trigger device unenrollment events, potentially resulting in unauthorized removal of individual Android devices from Fleet management. This missing authorization vulnerability (CWE-862) enables attackers to send crafted requests to the Android Pub/Sub endpoint to unenroll targeted Android devices without authentication.
Critical Impact
Attackers can disrupt Android device management by unenrolling devices from Fleet without authentication. While this does not grant access to Fleet, allow execution of commands, or provide visibility into device data, it can cause significant operational disruption for affected organizations.
Affected Products
- Fleet versions prior to 4.80.1
- Fleet Android MDM enabled deployments
- Android devices enrolled through Fleet MDM
Discovery Timeline
- February 26, 2026 - CVE-2026-24004 published to NVD
- February 26, 2026 - Last updated in NVD database
Technical Details for CVE-2026-24004
Vulnerability Analysis
This vulnerability falls under CWE-862 (Missing Authorization), a common weakness where software fails to perform an authorization check when an actor attempts to access a resource or perform an action. In Fleet's implementation, the Android MDM Pub/Sub endpoint lacks proper authentication validation, allowing any unauthenticated user to interact with the endpoint and trigger device management actions.
The vulnerability is network-accessible and requires no user interaction to exploit. While the attack complexity is low, there are some preconditions required for successful exploitation, specifically that Android MDM must be enabled on the target Fleet installation. The impact is limited to integrity violations affecting device enrollment status, with no confidentiality or availability impact on the Fleet system itself.
Root Cause
The root cause is a missing authorization check in Fleet's Android MDM Pub/Sub handling mechanism. The endpoint responsible for processing device enrollment events fails to validate whether incoming requests originate from authenticated and authorized sources before processing unenrollment commands. This architectural oversight allows external parties to submit crafted requests that the system processes as legitimate management commands.
Attack Vector
An attacker can exploit this vulnerability by sending specially crafted requests to Fleet's Android Pub/Sub endpoint. The attack is network-based and does not require prior authentication to Fleet or any special privileges. When Android MDM is enabled, the vulnerable endpoint accepts and processes unenrollment requests without validating the request source.
The attacker would need to:
- Identify a Fleet instance with Android MDM enabled
- Determine the target Android device identifier
- Send a crafted unenrollment request to the Pub/Sub endpoint
- The device is removed from Fleet management without authorization
For detailed technical information about the exploitation mechanism, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-24004
Indicators of Compromise
- Unexpected unenrollment events for Android devices in Fleet audit logs
- Unauthenticated requests to the Android MDM Pub/Sub endpoint from external IP addresses
- Anomalous patterns of device unenrollment that don't correlate with administrative actions
- HTTP requests to Pub/Sub endpoints without associated authentication tokens
Detection Strategies
- Monitor Fleet audit logs for device unenrollment events that lack corresponding administrative approval
- Implement network monitoring to detect unauthenticated requests to the Android MDM Pub/Sub endpoint
- Configure alerting for bulk or rapid device unenrollment activities
- Review web server access logs for requests to the Android MDM endpoint from unexpected sources
Monitoring Recommendations
- Enable detailed logging for all Android MDM Pub/Sub endpoint activity
- Set up alerts for any device unenrollment events outside of maintenance windows
- Implement rate limiting and anomaly detection on the Pub/Sub endpoint
- Cross-reference device unenrollment events with administrator activity logs
How to Mitigate CVE-2026-24004
Immediate Actions Required
- Upgrade Fleet to version 4.80.1 or later immediately
- If upgrade is not immediately possible, temporarily disable Android MDM functionality
- Review Fleet audit logs for any suspicious unenrollment activity prior to patching
- Re-enroll any devices that may have been maliciously unenrolled
Patch Information
Fleet version 4.80.1 addresses this vulnerability by implementing proper authentication checks on the Android MDM Pub/Sub endpoint. Organizations should upgrade to this version or later to remediate the vulnerability. The fix is documented in the GitHub Security Advisory GHSA-9pm7-6g36-6j78.
Workarounds
- Disable Android MDM functionality in Fleet until the patch can be applied
- Implement network-level access controls to restrict access to the Android Pub/Sub endpoint
- Use a web application firewall (WAF) to filter unauthenticated requests to sensitive endpoints
- Segment Fleet infrastructure to limit exposure of the MDM endpoints to trusted networks only
# Example: Disable Android MDM in Fleet configuration
# Consult Fleet documentation for your specific deployment method
# For YAML configuration:
# server_settings:
# android_mdm:
# enabled: false
# Verify Android MDM status after configuration change
fleetctl get config | grep android_mdm
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
