Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.1
Fleet: Predictable Lock PIN Can Be Cracked with Device Access
CVE-2026-23999
GHSA-ppwx-5jq7-px2w
Summary
Fleet's device lock PIN can be guessed if an attacker has physical access to the device and knows when it was locked. This is because the PIN is generated based on the current time, making it predictable. To fix this, update to the latest version of Fleet.
What to do
- Update github.com fleetdm to version 4.80.1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| github.com | fleetdm | <= 4.80.1 | 4.80.1 |
| fleetdm | fleet | <= 4.80.1 | – |
Original title
Fleet: Device lock PIN can be predicted if lock time is known
Original description
### Summary
Fleet generated device lock and wipe PINs using a predictable algorithm based solely on the current Unix timestamp. Because no secret key or additional entropy was used, the resulting PIN could potentially be derived if the approximate time the device was locked is known.
### Impact
Fleet’s device lock and wipe commands generate a 6-digit PIN that is displayed to administrators for unlocking a device. In affected versions, this PIN was deterministically derived from the current timestamp.
An attacker with physical possession of a locked device and knowledge of the approximate time the lock command was issued could theoretically predict the correct PIN within a limited search window.
However, successful exploitation is constrained by multiple factors:
- Physical access to the device is required.
- The approximate lock time must be known.
- The operating system enforces rate limiting on PIN entry attempts.
- Attempts would need to be spread over multiple days.
- Device wipe operations would typically complete before sufficient attempts could be made.
As a result, this issue does not allow remote exploitation, fleet-wide compromise, or bypass of Fleet authentication controls.
### Workarounds
There are no known workarounds for this issue. Customers should upgrade to a patched version.
### For more information
If there are any questions or comments about this advisory:
Email Fleet at [[email protected]](mailto:[email protected])
Join #fleet in [osquery Slack](https://join.slack.com/t/osquery/shared_invite/zt-h29zm0gk-s2DBtGUTW4CFel0f0IjTEw)
### Credits
Fleet thanks @secfox-ai for responsibly reporting this issue.
Fleet generated device lock and wipe PINs using a predictable algorithm based solely on the current Unix timestamp. Because no secret key or additional entropy was used, the resulting PIN could potentially be derived if the approximate time the device was locked is known.
### Impact
Fleet’s device lock and wipe commands generate a 6-digit PIN that is displayed to administrators for unlocking a device. In affected versions, this PIN was deterministically derived from the current timestamp.
An attacker with physical possession of a locked device and knowledge of the approximate time the lock command was issued could theoretically predict the correct PIN within a limited search window.
However, successful exploitation is constrained by multiple factors:
- Physical access to the device is required.
- The approximate lock time must be known.
- The operating system enforces rate limiting on PIN entry attempts.
- Attempts would need to be spread over multiple days.
- Device wipe operations would typically complete before sufficient attempts could be made.
As a result, this issue does not allow remote exploitation, fleet-wide compromise, or bypass of Fleet authentication controls.
### Workarounds
There are no known workarounds for this issue. Customers should upgrade to a patched version.
### For more information
If there are any questions or comments about this advisory:
Email Fleet at [[email protected]](mailto:[email protected])
Join #fleet in [osquery Slack](https://join.slack.com/t/osquery/shared_invite/zt-h29zm0gk-s2DBtGUTW4CFel0f0IjTEw)
### Credits
Fleet thanks @secfox-ai for responsibly reporting this issue.
nvd CVSS3.1
5.5
nvd CVSS4.0
0.6
Vulnerability type
CWE-330
Use of Insufficiently Random Values
Published: 26 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026