CVE-2026-46356— Fleet: IP spoofing allows bypassing API rate limiting

Fleet: IP spoofing allows bypassing API rate limiting

Fleet is open source device management software. Prior to version 4.80.1, a vulnerability in Fleet's IP extraction logic allows unauthenticated attackers to bypass API rate limiting by spoofing client IP headers. This may allow brute-force login attempts or other abuse against Fleet instances exposed to the public internet. Fleet extracted client IP addresses from request headers (`True-Client-IP`, `X-Real-IP`, `X-Forwarded-For`) without validating that those headers originate from a trusted proxy. The extracted IP is used as the key for rate limiting and IP ban decisions. As a result, an attacker could rotate the value of these headers on each request, causing Fleet to treat each attempt as coming from a different client. This effectively bypasses per-IP rate limits on sensitive endpoints such as the login API, enabling unrestricted brute-force or credential stuffing attacks. This issue primarily affects Fleet instances that are directly exposed to the internet without a reverse proxy that overwrites forwarded-IP headers. Instances behind a properly configured proxy or WAF are less affected. Version 4.80.1 contains a patch. If an immediate upgrade is not possible, administrators should ensure Fleet is deployed behind a reverse proxy (e.g., nginx, Cloudflare, AWS ALB) that overwrites `X-Forwarded-For` with the true client IP, and apply rate limiting at the proxy or WAF layer.

N/A

使用欺骗进行的认证绕过

Fleet 安全漏洞

Fleet是Fleet Device Management开源的一个设备管理平台，支持多种操作系统和设备，帮助 IT 和安全团队进行设备管理、漏洞报告、MDM 等操作。 Fleet 4.80.1之前版本存在安全漏洞，该漏洞源于IP提取逻辑未验证请求头来源，可能导致未经身份验证的攻击者通过伪造客户端IP标头绕过API速率限制，从而进行暴力破解登录或其他滥用攻击。

N/A

N/A