{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26060", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-10T18:01:31.899Z", "datePublished": "2026-03-27T18:22:43.244Z", "dateUpdated": "2026-03-27T19:32:38.862Z"}, "containers": {"cna": {"title": "Fleet: Password reset tokens remain valid after password change for 24 hours", "problemTypes": [{"descriptions": [{"cweId": "CWE-613", "lang": "en", "description": "CWE-613: Insufficient Session Expiration", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/fleetdm/fleet/security/advisories/GHSA-3458-r943-hmx4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/fleetdm/fleet/security/advisories/GHSA-3458-r943-hmx4"}], "affected": [{"vendor": "fleetdm", "product": "fleet", "versions": [{"version": "< 4.81.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T18:22:43.244Z"}, "descriptions": [{"lang": "en", "value": "Fleet is open source device management software. Prior to 4.81.0, a vulnerability in Fleet\u2019s password management logic could allow previously issued password reset tokens to remain valid after a user changes their password. As a result, a stale password reset token could be reused to reset the account password even after a defensive password change. Version 4.81.0 patches the issue."}], "source": {"advisory": "GHSA-3458-r943-hmx4", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T19:32:16.341764Z", "id": "CVE-2026-26060", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T19:32:38.862Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Fleet is open source device management software. Prior to 4.81.0, a vulnerability in Fleet\u2019s password management logic could allow previously issued password reset tokens to remain valid after a user changes their password. As a result, a stale password reset token could be reused to reset the account password even after a defensive password change. Version 4.81.0 patches the issue."}], "id": "CVE-2026-26060", "lastModified": "2026-03-27T19:16:42.240", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.0, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T19:16:42.240", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/fleetdm/fleet/security/advisories/GHSA-3458-r943-hmx4"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-613"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-27T19:22:01.461174+00:00", "value": {"mitigation_remediation": ["Upgrade Fleet to version 4.81.0 or newer.", "Check the Fleet release notes for additional mitigations if available.", "If you cannot upgrade immediately, consider enabling multi\u2011factor authentication and monitoring password reset logs."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Password Reset"}, "threat_synthesis": {"affected_systems": "Fleet by fleetdm is the only vendor listed for this issue. The vulnerability exists in all releases prior to 4.81.0. Users running Fleet 4.80.x and earlier are potentially exposed. Versions 4.81.0 and newer contain a fix that invalidates reset tokens immediately upon password change.", "description_and_impact": "Password reset tokens in Fleet remain valid for 24 hours even after the user changes their password. An attacker who already has a valid token can use it to reset the account password after a user has taken defensive action, effectively bypassing the password change. This vulnerability, classified as CWE\u2011613, allows unauthorized account takeover and can jeopardize the confidentiality and integrity of the affected user\u2019s account.", "risk_and_exploitability": "The CVSS score of 6.0 indicates a moderate impact; however, the exploit does not require specialized skills, only a valid token. The EPSS score is not available, and the vulnerability is not currently in CISA\u2019s KEV catalog. The likely attack vector is an attacker with a stale reset token, which may be intercepted via email or other channels. Once the token is used, the attacker can set a new password and gain full control of the account."}}}}, "created": "2026-03-27T20:27:46.883133+00:00", "updated": "2026-03-27T20:27:46.883164+00:00", "vendors": []}