Headline
GHSA-63m5-974w-448v: Fleet has a JWT signature bypass vulnerability in Azure AD MDM enrollment
Impact
If Windows MDM is enabled, an attacker can enroll rogue devices by submitting a forged JWT containing arbitrary identity claims. Due to missing JWT signature verification, Fleet accepts these claims without validating that the token was issued by Azure AD, allowing enrollment under any Azure AD user identity.
Patches
- 4.78.3
- 4.77.1
- 4.76.2
- 4.75.2
- 4.53.3
Workarounds
If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM.
For more information
If you have any questions or comments about this advisory:
Email us at security@fleetdm.com Join #fleet in osquery Slack
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2026-23518
Fleet has a JWT signature bypass vulnerability in Azure AD MDM enrollment
Critical severity GitHub Reviewed Published Jan 20, 2026 in fleetdm/fleet • Updated Jan 20, 2026
Package
gomod github.com/fleetdm/fleet (Go)
Affected versions
>= 4.78.0, < 4.78.3
>= 4.77.0, < 4.77.1
>= 4.76.0, < 4.76.2
>= 4.75.0, < 4.75.2
< 4.43.5-0.20260112202845-e225ef57912c
Patched versions
4.78.3
4.77.1
4.76.2
4.75.2
4.43.5-0.20260112202845-e225ef57912c
Impact
If Windows MDM is enabled, an attacker can enroll rogue devices by submitting a forged JWT containing arbitrary identity claims. Due to missing JWT signature verification, Fleet accepts these claims without validating that the token was issued by Azure AD, allowing enrollment under any Azure AD user identity.
Patches
- 4.78.3
- 4.77.1
- 4.76.2
- 4.75.2
- 4.53.3
Workarounds
If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM.
For more information
If you have any questions or comments about this advisory:
Email us at security@fleetdm.com
Join #fleet in osquery Slack
References
- GHSA-63m5-974w-448v
- fleetdm/fleet@e225ef5
Published to the GitHub Advisory Database
Jan 20, 2026
Last updated
Jan 20, 2026