CVE-2026-26060
Fleet: Password reset tokens remain valid after password change for 24 hours
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Fleet is open source device management software. Prior to 4.81.0, a vulnerability in Fleet’s password management logic could allow previously issued password reset tokens to remain valid after a user changes their password. As a result, a stale password reset token could be reused to reset the account password even after a defensive password change. Version 4.81.0 patches the issue.
| CWE | CWE-613 |
| Vendor | fleetdm |
| Product | fleet |
| Published | Mar 27, 2026 |
| Last Updated | Mar 27, 2026 |
Stay Ahead of the Next One
Get instant alerts for fleetdm fleet
Be the first to know when new unknown vulnerabilities affecting fleetdm fleet are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
Affected Versions
fleetdm / fleet
< 4.81.0