CVE-2026-46370 is a medium-severity SQL injection vulnerability in github.com/fleetdm/fleet/v4 (go), affecting versions <= 4.84.1. It is fixed in 4.84.2.
Summary A vulnerability in Fleet's labels host-listing endpoint allowed authenticated users with the lowest-privilege Observer role to extract host enrollment secrets (nodekey, orbitnodekey) through a cursor-based binary search oracle. The endpoint accepted a user-supplied orderkey parameter that was not validated against a column allowlist, permitting sort order to be driven by sensitive columns in a joined table. Impact The GET /api/v1/fleet/labels/{id}/hosts endpoint constructs its query using a deprecated helper that did not restrict which columns could appear in the ORDER BY clause. An attacker with Global Observer or Team Observer credentials could supply a sensitive column name (for example, h.nodekey) as orderkey and combine it with the cursor-based after parameter to binary-search the values of those columns one character at a time. The targeted values never appeared in the response body, but the presence or absence of results revealed each character. The nodekey and orbitnodekey values are the long-lived shared secrets used by osquery and Orbit agents to authenticate to the Fleet server. An attacker who extracted these keys could: Impersonate enrolled hosts to Fleet's osquery and Orbit endpoints Submit fabricated query results and host inventory data Retrieve pending scripts and MDM commands queued for the host Poison compliance and policy results across the Fleet deployment Exploitation required authenticated Observer access. Fleet deployments that restrict Observer roles to fully trusted users were at lower practical risk, but the secrets exposed are high-value and long-lived. Patches v4.85.0 Workarounds If an immediate upgrade is not possible, administrators should: Restrict the Observer role to fully trusted users until the patch is applied Rotate nodekey and orbitnodekey for any host suspected of exposure by re-enrolling the affected hosts For more information If there are any questions or comments about this advisory: Email Fleet at [email protected] Join #fleet in osquery Slack Credits Fleet thanks the Security Team at Palantir Technologies for responsibly reporting this issue.
Untrusted input alters a database query, allowing the attacker to read or modify data the query was not intended to access. Typical impact: data disclosure or modification.
CVE-2026-46370 has a CVSS score of 6.5 (Medium). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (4.84.2). Upgrading removes the vulnerable code path.
go
github.com/fleetdm/fleet/v4 (<= 4.84.1)github.com/fleetdm/fleet/v4 → 4.84.2 (go)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-46370 is reachable in your applications. Explore open-source security for your team.
See if CVE-2026-46370 is reachable in your applications. Get a demo
Already deployed Kodem? See CVE-2026-46370 in your environment →Upgrade github.com/fleetdm/fleet/v4 to 4.84.2 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-46370 is a medium-severity SQL injection vulnerability in github.com/fleetdm/fleet/v4 (go), affecting versions <= 4.84.1. It is fixed in 4.84.2. Untrusted input alters a database query, allowing the attacker to read or modify data the query was not intended to access.
CVE-2026-46370 has a CVSS score of 6.5 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
github.com/fleetdm/fleet/v4 (go) versions <= 4.84.1 is affected.
Yes. CVE-2026-46370 is fixed in 4.84.2. Upgrade to this version or later.
Whether CVE-2026-46370 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade github.com/fleetdm/fleet/v4 to 4.84.2 or later.