CVE-2026-26060 Overview
CVE-2026-26060 is an Insufficient Session Expiration vulnerability affecting Fleet, the open source device management software developed by FleetDM. Prior to version 4.81.0, a flaw in Fleet's password management logic allows previously issued password reset tokens to remain valid even after a user changes their password. This enables an attacker who has obtained a stale password reset token to reuse it to reset the account password, effectively bypassing any defensive password changes made by the legitimate user.
Critical Impact
Attackers with access to old password reset tokens can take over user accounts even after the legitimate user has changed their password, potentially leading to unauthorized access to managed devices and sensitive organizational data.
Affected Products
- FleetDM Fleet versions prior to 4.81.0
Discovery Timeline
- 2026-03-27 - CVE-2026-26060 published to NVD
- 2026-03-31 - Last updated in NVD database
Technical Details for CVE-2026-26060
Vulnerability Analysis
This vulnerability is classified under CWE-613 (Insufficient Session Expiration), which occurs when an application does not properly invalidate security tokens when they should no longer be valid. In the context of Fleet's password management system, when a user initiates a password reset flow, the system generates a reset token. However, the vulnerability allows these tokens to persist as valid even after the user successfully changes their password through other means.
The attack requires network access and a low level of prior authorization. An attacker who has intercepted or obtained a password reset token through phishing, email compromise, or other means could retain this token and use it at a later time—even if the legitimate account holder has since changed their password as a defensive measure.
Root Cause
The root cause lies in Fleet's password management logic failing to invalidate all outstanding password reset tokens when a user's password is changed. Proper session and token management should ensure that any password change event triggers the immediate invalidation of all pending password reset tokens associated with that account. Fleet versions prior to 4.81.0 did not implement this invalidation properly, leaving stale tokens active and usable.
Attack Vector
The attack is network-based and requires the attacker to first obtain a valid password reset token. This could be achieved through:
- Email compromise - Accessing the victim's email account to retrieve a previously sent reset link
- Phishing attacks - Tricking the user into clicking a malicious link that captures the reset token
- Man-in-the-middle interception - Intercepting password reset emails in transit
Once an attacker possesses a reset token, they can hold onto it even if the legitimate user changes their password. The stale token remains functional, allowing the attacker to reset the password at their convenience and gain unauthorized access to the Fleet management console.
The vulnerability mechanism involves the password reset token validation process not checking whether the user's password has been changed since the token was issued. For detailed technical information, refer to the GitHub Security Advisory GHSA-3458-r943-hmx4.
Detection Methods for CVE-2026-26060
Indicators of Compromise
- Multiple password reset attempts for the same account within a short timeframe
- Password reset token usage occurring after a recent password change event
- Login activity from unusual IP addresses or geolocations following a password reset
- Authentication logs showing account access patterns inconsistent with user behavior
Detection Strategies
- Implement monitoring for password reset token usage, correlating with password change events to identify token reuse after password changes
- Configure alerts for multiple failed or successful password resets on the same account
- Deploy anomaly detection on authentication logs to identify suspicious login patterns following password modifications
- Review Fleet audit logs for authentication events that may indicate account takeover attempts
Monitoring Recommendations
- Enable comprehensive logging for all password reset and authentication events in Fleet
- Monitor for token validation requests that occur after corresponding password change timestamps
- Implement SIEM rules to correlate password change events with subsequent password reset token usage
- Establish baseline user authentication patterns to detect anomalies indicative of account compromise
How to Mitigate CVE-2026-26060
Immediate Actions Required
- Upgrade Fleet to version 4.81.0 or later immediately to address this vulnerability
- Review audit logs for any suspicious password reset activity that may indicate exploitation
- Force password resets for any accounts where suspicious activity is detected
- Invalidate all existing password reset tokens by forcing users to request new ones after the upgrade
Patch Information
FleetDM has released version 4.81.0 which patches this vulnerability by ensuring that all outstanding password reset tokens are properly invalidated when a user's password is changed. Organizations running Fleet should upgrade to this version or later as soon as possible. For more details, see the FleetDM Security Advisory.
Workarounds
- Implement short expiration times for password reset tokens at the organizational level if configurable
- Enable multi-factor authentication (MFA) to add an additional layer of protection against account takeover
- Monitor password reset token usage closely and investigate any anomalous patterns
- Consider temporarily disabling self-service password reset functionality until the patch can be applied
Organizations should prioritize applying the official patch as workarounds only reduce risk and do not fully address the underlying vulnerability.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
