CVE-2026-24004

EPSS 0.10%

Fleet: Unauthenticated Android device disenrollment vulnerability via Pub/Sub endpoint

發布日:2026/2/26修改日:2026/3/9
也稱為:GHSA-9pm7-6g36-6j78GO-2026-4563

描述

### Summary A vulnerability in Fleet’s Android MDM Pub/Sub handling could allow unauthenticated requests to trigger device unenrollment events. This may result in unauthorized removal of individual Android devices from Fleet management. ### Impact If Android MDM is enabled, an attacker could send a crafted request to the Android Pub/Sub endpoint to unenroll a targeted Android device from Fleet without authentication. This issue does not grant access to Fleet, allow execution of commands, or provide visibility into device data. Impact is limited to disruption of Android device management for the affected device. ### Workarounds If an immediate upgrade is not possible, affected Fleet users should temporarily disable Android MDM. ### For more information If there any questions or comments about this advisory: Email Fleet at [[email protected]](mailto:[email protected]) Join #fleet in [osquery Slack](https://join.slack.com/t/osquery/shared_invite/zt-h29zm0gk-s2DBtGUTW4CFel0f0IjTEw) ### Credits Fleet thanks @secfox-ai for responsibly reporting this issue.

受影響套件(2)

CVSS 分數

來源版本嚴重程度向量
osvCVSS 4.0CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L

參考連結(4)