CVE-2026-34389
Fleet's user account creation via invite does not enforce invited email address
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
12th
Fleet is open source device management software. Prior to 4.81.0, Fleet contained an issue in the user invitation flow where the email address provided during invite acceptance was not validated against the email address associated with the invite. An attacker who obtained a valid invite token could create an account under an arbitrary email address while inheriting the role granted by the invite, including global admin. Version 4.81.0 patches the issue.
| CWE | CWE-287 |
| Vendor | fleetdm |
| Product | fleet |
| Published | Mar 27, 2026 |
| Last Updated | Mar 30, 2026 |
Stay Ahead of the Next One
Get instant alerts for fleetdm fleet
Be the first to know when new unknown vulnerabilities affecting fleetdm fleet are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
fleetdm / fleet
< 4.81.0