Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.3
Fleet: Android Devices Can Be Removed from Management Without Password
CVE-2026-24004
GHSA-9pm7-6g36-6j78
Summary
Fleet's Android device management system has a flaw that allows anyone to remove Android devices from management without needing a password. This could be a problem for businesses that use Fleet to manage their Android devices. To protect your devices, consider disabling Android MDM until you can upgrade to a fixed version of Fleet.
What to do
- Update github.com fleetdm to version 4.80.1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| github.com | fleetdm | <= 4.80.1 | 4.80.1 |
| fleetdm | fleet | <= 4.80.1 | – |
Original title
Fleet: Unauthenticated Android device disenrollment vulnerability via Pub/Sub endpoint
Original description
### Summary
A vulnerability in Fleet’s Android MDM Pub/Sub handling could allow unauthenticated requests to trigger device unenrollment events. This may result in unauthorized removal of individual Android devices from Fleet management.
### Impact
If Android MDM is enabled, an attacker could send a crafted request to the Android Pub/Sub endpoint to unenroll a targeted Android device from Fleet without authentication.
This issue does not grant access to Fleet, allow execution of commands, or provide visibility into device data. Impact is limited to disruption of Android device management for the affected device.
### Workarounds
If an immediate upgrade is not possible, affected Fleet users should temporarily disable Android MDM.
### For more information
If there any questions or comments about this advisory:
Email Fleet at [[email protected]](mailto:[email protected])
Join #fleet in [osquery Slack](https://join.slack.com/t/osquery/shared_invite/zt-h29zm0gk-s2DBtGUTW4CFel0f0IjTEw)
### Credits
Fleet thanks @secfox-ai for responsibly reporting this issue.
A vulnerability in Fleet’s Android MDM Pub/Sub handling could allow unauthenticated requests to trigger device unenrollment events. This may result in unauthorized removal of individual Android devices from Fleet management.
### Impact
If Android MDM is enabled, an attacker could send a crafted request to the Android Pub/Sub endpoint to unenroll a targeted Android device from Fleet without authentication.
This issue does not grant access to Fleet, allow execution of commands, or provide visibility into device data. Impact is limited to disruption of Android device management for the affected device.
### Workarounds
If an immediate upgrade is not possible, affected Fleet users should temporarily disable Android MDM.
### For more information
If there any questions or comments about this advisory:
Email Fleet at [[email protected]](mailto:[email protected])
Join #fleet in [osquery Slack](https://join.slack.com/t/osquery/shared_invite/zt-h29zm0gk-s2DBtGUTW4CFel0f0IjTEw)
### Credits
Fleet thanks @secfox-ai for responsibly reporting this issue.
nvd CVSS3.1
5.3
nvd CVSS4.0
1.7
Vulnerability type
CWE-862
Missing Authorization
CWE-306
Missing Authentication for Critical Function
Published: 26 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026