SCA: security update for github.com/fleetdm/fleet/v4 (GHSA-x67p-9m2r-fxqv)

high Tenable Self-Hosted Container Security Plugin ID 441839

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Fleet is open source device management software. Prior to version 4.81.0, Fleet contained a denial-of-
service (DoS) issue in the gRPC Launcher `PublishLogs` endpoint. In affected versions, certain unexpected
input values were not handled gracefully, which could cause the Fleet server process to terminate while
processing an authenticated request from an enrolled Launcher host. An authenticated attacker with access
to any enrolled Launcher node key could cause an immediate and complete denial of service by sending a
single gRPC request to the `PublishLogs` endpoint. This vulnerability impacts availability only. There is
no exposure of sensitive data, no authentication bypass, no privilege escalation, and no integrity impact.
Version 4.81.0 contains a patch. If upgrading immediately is not possible, the following mitigations can
reduce exposure. Restrict network access to the Fleet gRPC endpoint where feasible (for example, limiting
inbound access to known host IP ranges); deploy Fleet behind infrastructure that terminates or filters
gRPC traffic if Launcher log ingestion is not required; and/or monitor for repeated Fleet process crashes
or unexpected restarts indicating potential exploitation. (CVE-2026-26062)

Solution

Update the github.com/fleetdm/fleet/v4 library and its related packages to version 4.81.0 or later.

See Also

https://github.com/advisories/GHSA-x67p-9m2r-fxqv

Plugin Details

Severity: High

ID: 441839

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 5/14/2026

Updated: 6/22/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.69

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:C

CVSS Score Source: CVE-2026-26062

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.7

Threat Score: 6.6

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 5/14/2026

Vulnerability Publication Date: 5/14/2026

Reference Information

CVE: CVE-2026-26062

cwe: CWE-20