CVE-2026-26061 Overview
Fleet is an open source device management software solution. A critical vulnerability has been identified in versions prior to 4.81.0 where multiple unauthenticated HTTP endpoints read request bodies without enforcing a size limit. This resource allocation flaw (CWE-770: Allocation of Resources Without Limits or Throttling) allows an unauthenticated attacker to exploit this behavior by sending large or repeated HTTP payloads, causing excessive memory allocation and resulting in a denial-of-service (DoS) condition.
Critical Impact
Unauthenticated attackers can remotely exhaust server memory resources, causing service unavailability for the Fleet device management platform without requiring any credentials or prior access.
Affected Products
- FleetDM Fleet versions prior to 4.81.0
- All deployments exposing unauthenticated HTTP endpoints to untrusted networks
- Self-hosted Fleet installations without upstream request size limits
Discovery Timeline
- 2026-03-27 - CVE-2026-26061 published to NVD
- 2026-03-31 - Last updated in NVD database
Technical Details for CVE-2026-26061
Vulnerability Analysis
This vulnerability stems from improper resource allocation in Fleet's HTTP request handling. The affected endpoints fail to implement request body size limits, allowing attackers to submit arbitrarily large payloads that the server attempts to fully read into memory. Since these endpoints do not require authentication, any network-accessible attacker can exploit this weakness.
The impact is primarily on service availability. When an attacker sends sufficiently large or numerous requests, the Fleet server allocates memory without bounds until system resources are exhausted. This can crash the service or render it unresponsive to legitimate device management operations.
Root Cause
The root cause is classified under CWE-770 (Allocation of Resources Without Limits or Throttling). The vulnerable code paths read incoming HTTP request bodies into memory without validating or limiting the content length. This architectural oversight allows unbounded memory consumption when processing malicious requests.
Properly secured HTTP endpoints should enforce maximum request body sizes at both the application and infrastructure levels to prevent such resource exhaustion attacks.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by:
- Identifying publicly accessible Fleet endpoints that accept HTTP request bodies
- Crafting HTTP requests with extremely large payloads (potentially gigabytes)
- Sending multiple concurrent requests to amplify memory consumption
- Sustaining the attack until the server runs out of memory or becomes unresponsive
The attack can be executed remotely against any Fleet installation accessible over the network. Since no authentication is required for the vulnerable endpoints, the barrier to exploitation is extremely low.
Detection Methods for CVE-2026-26061
Indicators of Compromise
- Unusual spike in memory consumption on Fleet server instances
- Large HTTP request bodies (exceeding normal operational thresholds) in web server access logs
- Multiple requests from single IP addresses targeting unauthenticated endpoints
- Service restarts or crashes correlating with memory exhaustion events
Detection Strategies
- Monitor Fleet server memory utilization for anomalous spikes that could indicate exploitation attempts
- Configure web application firewalls (WAF) to log and alert on requests exceeding normal body size thresholds
- Implement rate limiting on unauthenticated endpoints and monitor for trigger events
- Enable verbose logging on reverse proxies to capture request sizes and client behavior patterns
Monitoring Recommendations
- Set up automated alerts for Fleet service availability and memory consumption metrics
- Review HTTP access logs for patterns of large POST requests to Fleet endpoints
- Monitor for repeated connection attempts from single source IPs to unauthenticated API paths
- Establish baseline metrics for normal request sizes to quickly identify anomalous traffic
How to Mitigate CVE-2026-26061
Immediate Actions Required
- Upgrade Fleet to version 4.81.0 or later immediately to apply the security patch
- If immediate upgrade is not possible, implement request body size limits at the reverse proxy or load balancer level
- Review network exposure and restrict access to Fleet endpoints from untrusted networks where feasible
- Enable rate limiting on all HTTP endpoints as an additional defense layer
Patch Information
FleetDM has released version 4.81.0 which patches this vulnerability. Organizations running affected versions should upgrade immediately. For detailed patch information and upgrade instructions, refer to the GitHub Security Advisory GHSA-99hj-44vg-hfcp.
Workarounds
- Configure upstream reverse proxies (nginx, Apache, HAProxy) to enforce maximum request body size limits
- Implement network-level access controls to restrict access to Fleet endpoints from trusted sources only
- Deploy a Web Application Firewall (WAF) with request size throttling capabilities
- Use cloud provider load balancers with built-in request size limits as a protective layer
# Example nginx configuration to limit request body size
# Add to server or location block for Fleet endpoints
client_max_body_size 10m;
# Example rate limiting configuration
limit_req_zone $binary_remote_addr zone=fleet_limit:10m rate=10r/s;
location /api/ {
limit_req zone=fleet_limit burst=20 nodelay;
client_max_body_size 10m;
proxy_pass http://fleet_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
