GHSA-VXM7-9X8V-8GM4

Vulnerability from github – Published: 2026-06-12 21:00 – Updated: 2026-06-26 20:20
VLAI
Summary
Fleet has observer-level enrollment secret extraction via ORDER BY oracle on labels host-listing endpoint
Details

Summary

A vulnerability in Fleet's labels host-listing endpoint allowed authenticated users with the lowest-privilege Observer role to extract host enrollment secrets (node_key, orbit_node_key) through a cursor-based binary search oracle. The endpoint accepted a user-supplied order_key parameter that was not validated against a column allowlist, permitting sort order to be driven by sensitive columns in a joined table.

Impact

The GET /api/v1/fleet/labels/{id}/hosts endpoint constructs its query using a deprecated helper that did not restrict which columns could appear in the ORDER BY clause. An attacker with Global Observer or Team Observer credentials could supply a sensitive column name (for example, h.node_key) as order_key and combine it with the cursor-based after parameter to binary-search the values of those columns one character at a time. The targeted values never appeared in the response body, but the presence or absence of results revealed each character.

The node_key and orbit_node_key values are the long-lived shared secrets used by osquery and Orbit agents to authenticate to the Fleet server. An attacker who extracted these keys could:

  • Impersonate enrolled hosts to Fleet's osquery and Orbit endpoints
  • Submit fabricated query results and host inventory data
  • Retrieve pending scripts and MDM commands queued for the host
  • Poison compliance and policy results across the Fleet deployment

Exploitation required authenticated Observer access. Fleet deployments that restrict Observer roles to fully trusted users were at lower practical risk, but the secrets exposed are high-value and long-lived.

Patches

  • v4.85.0

Workarounds

If an immediate upgrade is not possible, administrators should:

  • Restrict the Observer role to fully trusted users until the patch is applied
  • Rotate node_key and orbit_node_key for any host suspected of exposure by re-enrolling the affected hosts

For more information

If there are any questions or comments about this advisory:

Email Fleet at security@fleetdm.com Join #fleet in osquery Slack

Credits

Fleet thanks the Security Team at Palantir Technologies for responsibly reporting this issue.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.84.1"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/fleetdm/fleet/v4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.84.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-46370"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-12T21:00:42Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nA vulnerability in Fleet\u0027s labels host-listing endpoint allowed authenticated users with the lowest-privilege Observer role to extract host enrollment secrets (`node_key`, `orbit_node_key`) through a cursor-based binary search oracle. The endpoint accepted a user-supplied `order_key` parameter that was not validated against a column allowlist, permitting sort order to be driven by sensitive columns in a joined table.\n\n### Impact\n\nThe `GET /api/v1/fleet/labels/{id}/hosts` endpoint constructs its query using a deprecated helper that did not restrict which columns could appear in the `ORDER BY` clause. An attacker with Global Observer or Team Observer credentials could supply a sensitive column name (for example, `h.node_key`) as `order_key` and combine it with the cursor-based `after` parameter to binary-search the values of those columns one character at a time. The targeted values never appeared in the response body, but the presence or absence of results revealed each character.\n\nThe `node_key` and `orbit_node_key` values are the long-lived shared secrets used by osquery and Orbit agents to authenticate to the Fleet server. An attacker who extracted these keys could:\n\n- Impersonate enrolled hosts to Fleet\u0027s osquery and Orbit endpoints\n- Submit fabricated query results and host inventory data\n- Retrieve pending scripts and MDM commands queued for the host\n- Poison compliance and policy results across the Fleet deployment\n\nExploitation required authenticated Observer access. Fleet deployments that restrict Observer roles to fully trusted users were at lower practical risk, but the secrets exposed are high-value and long-lived.\n\n### Patches\n\n- v4.85.0\n\n### Workarounds\n\nIf an immediate upgrade is not possible, administrators should:\n\n- Restrict the Observer role to fully trusted users until the patch is applied\n- Rotate `node_key` and `orbit_node_key` for any host suspected of exposure by re-enrolling the affected hosts\n\n### For more information\n\nIf there are any questions or comments about this advisory:\n\nEmail Fleet at [security@fleetdm.com](mailto:security@fleetdm.com)\nJoin #fleet in [osquery Slack](https://join.slack.com/t/osquery/shared_invite/zt-h29zm0gk-s2DBtGUTW4CFel0f0IjTEw)\n\n### Credits\n\nFleet thanks the Security Team at Palantir Technologies for responsibly reporting this issue.",
  "id": "GHSA-vxm7-9x8v-8gm4",
  "modified": "2026-06-26T20:20:29Z",
  "published": "2026-06-12T21:00:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/fleetdm/fleet/security/advisories/GHSA-vxm7-9x8v-8gm4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/fleetdm/fleet"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Fleet has observer-level enrollment secret extraction via ORDER BY oracle on labels host-listing endpoint"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…