GHSA-4r5r-ccr6-q6f6: Fleet has an Access Control vulnerability in debug/pprof endpoints

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2026-23517

Fleet has an Access Control vulnerability in debug/pprof endpoints

High severity GitHub Reviewed Published Jan 20, 2026 in fleetdm/fleet • Updated Jan 20, 2026

Package

gomod github.com/fleetdm/fleet (Go)

Affected versions

>= 4.78.0, < 4.78.3

>= 4.77.0, < 4.77.1

>= 4.76.0, < 4.76.2

>= 4.75.0, < 4.75.2

Patched versions

4.78.3

4.77.1

4.76.2

4.75.2

gomod github.com/fleetdm/fleet/v4 (Go)

< 4.78.3-0.20260112221730-5c030e32a3a9

4.78.3-0.20260112221730-5c030e32a3a9

Impact

Fleet’s debug/pprof endpoints are accessible to any authenticated user regardless of role, including the lowest-privilege “Observer” role. This allows low-privilege users to access sensitive server internals, including runtime profiling data and in-memory application state, and to trigger CPU-intensive profiling operations that could lead to denial of service.

Patches

• 4.78.3
• 4.77.1
• 4.76.2
• 4.75.2
• 4.53.3

Workarounds

If an immediate upgrade is not possible, users should put the debug/pprof endpoints behind an IP allowlist.

For more information

If you have any questions or comments about this advisory:

Email us at security@fleetdm.com
Join #fleet in osquery Slack

References

• GHSA-4r5r-ccr6-q6f6
• fleetdm/fleet@5c030e3

Published to the GitHub Advisory Database

Jan 20, 2026

Last updated

Jan 20, 2026