Fleet's user account creation via invite does not enforce invited email address

Description

Summary

Fleet contained an issue in the user invitation flow where the email address provided during invite acceptance was not validated against the email address associated with the invite. An attacker who obtained a valid invite token could create an account under an arbitrary email address while inheriting the role granted by the invite, including global admin.

Impact

If an attacker gains access to a valid invite token, they can create a Fleet user account with an email address of their choosing while inheriting the invite’s assigned role and team memberships.

This issue:

  • Requires possession of a valid invite token
  • Does not bypass authentication controls beyond invite-based account creation
  • Does not expose data without successful account creation

Workarounds

If upgrading immediately is not possible:

  • Treat invite links as sensitive credentials and avoid sharing them in public or semi-public channels (e.g., Slack, Teams).
  • Revoke and reissue invites if there is any concern that an invite link may have been exposed.
  • Prefer issuing invites with the minimum required privileges and elevating roles after account creation when appropriate.

For more information

If there are any questions or comments about this advisory:

Send an email to [email protected]

Credits

Fleet thanks @fuzzztf for responsibly reporting this issue.

Basic information

Type
reviewed
Severity
medium
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2026-03-30 19:29:13 UTC
Updated
2026-04-01 06:11:02 UTC
GitHub reviewed
2026-03-30 19:29:13 UTC
NVD published
2026-03-27

EPSS Score

Score Percentile
0.03% 8.91%

CVSS Scores

Base score Version Severity Vector
4.9 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network.
Attack complexity (AC:L)
Exploitation conditions are straightforward and stable.
Attack requirements (AT:N)
No additional preconditions are required beyond normal reachability.
Privileges required (PR:L)
Low privileges are required.
User interaction (UI:N)
No user interaction is required.
Vulnerable system confidentiality impact (VC:N)
No confidentiality impact on the vulnerable system.
Vulnerable system integrity impact (VI:H)
High integrity impact on the vulnerable system.
Vulnerable system availability impact (VA:N)
No availability impact on the vulnerable system.
Subsequent system confidentiality impact (SC:N)
No confidentiality impact on subsequent systems.
Subsequent system integrity impact (SI:N)
No integrity impact on subsequent systems.
Subsequent system availability impact (SA:N)
No availability impact on subsequent systems.
Exploit maturity (threat) (E:U)
Unreported: no public PoC, no reported exploitation, and no known simplification tools.

Identifiers

CWEs

CWE id Name
CWE-287 Improper Authentication

Credits

  • fuzzztf (reporter)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
go github.com/fleetdm/fleet/v4 < 4.81.0 4.81.0

References

cvelogic Threat Intelligence