CVE-2026-46371 is a medium-severity SQL injection vulnerability in github.com/fleetdm/fleet/v4 (go), affecting versions <= 4.84.1. It is fixed in 4.84.2.
Summary A vulnerability in Fleet's Apple MDM commands listing endpoint allowed authenticated users with the lowest-privilege Observer role to extract sensitive values from joined database tables, including host enrollment secrets and Apple Push Notification Service (APNS) tokens, through a cursor-based binary search oracle. The endpoint accepted a user-supplied orderkey parameter that was not validated against a column allowlist. Impact The GET /api/v1/fleet/mdm/apple/commands endpoint constructs its query using a deprecated helper that did not restrict which columns could appear in the ORDER BY clause. The underlying query joins the hosts and nanoenrollments tables, so any column on those tables could be supplied as orderkey. An attacker with Observer credentials could then use the cursor-based pagination parameter (after) to binary-search the value of the chosen column one character at a time. The targeted values never appeared in the response body, but the presence or absence of results revealed each character. With extracted nodekey or orbitnodekey values, an attacker could impersonate enrolled hosts to Fleet's osquery and Orbit endpoints, submit fabricated host data, and retrieve pending scripts and commands. The APNS values are exploitable only by a party that also possesses the organization's APNS certificate. Exploitation required authenticated Observer access and a Fleet deployment with Apple MDM enabled and at least one queued MDM command. Instances without Apple MDM configured were not affected. Workarounds If an immediate upgrade is not possible, administrators should: Restrict the Observer role to fully trusted users until the patch is applied Rotate nodekey and orbitnodekey for any host suspected of exposure by re-enrolling the affected hosts For more information If there are any questions or comments about this advisory: Email Fleet at [email protected] Join #fleet in osquery Slack Credits Fleet thanks the Security Team at Palantir Technologies for responsibly reporting this issue.
Untrusted input alters a database query, allowing the attacker to read or modify data the query was not intended to access. Typical impact: data disclosure or modification.
CVE-2026-46371 has a CVSS score of 6.5 (Medium). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (4.84.2). Upgrading removes the vulnerable code path.
go
github.com/fleetdm/fleet/v4 (<= 4.84.1)github.com/fleetdm/fleet/v4 → 4.84.2 (go)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-46371 is reachable in your applications. Explore open-source security for your team.
See if CVE-2026-46371 is reachable in your applications. Get a demo
Already deployed Kodem? See CVE-2026-46371 in your environment →Upgrade github.com/fleetdm/fleet/v4 to 4.84.2 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-46371 is a medium-severity SQL injection vulnerability in github.com/fleetdm/fleet/v4 (go), affecting versions <= 4.84.1. It is fixed in 4.84.2. Untrusted input alters a database query, allowing the attacker to read or modify data the query was not intended to access.
CVE-2026-46371 has a CVSS score of 6.5 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
github.com/fleetdm/fleet/v4 (go) versions <= 4.84.1 is affected.
Yes. CVE-2026-46371 is fixed in 4.84.2. Upgrade to this version or later.
Whether CVE-2026-46371 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade github.com/fleetdm/fleet/v4 to 4.84.2 or later.