{"id":"CVE-2026-26061","summary":"Fleet's unbounded request body read allows remote Denial of Service","details":"Fleet is open source device management software. Prior to 4.81.0, Fleet contained multiple unauthenticated HTTP endpoints that read request bodies without enforcing a size limit. An unauthenticated attacker could exploit this behavior by sending large or repeated HTTP payloads, causing excessive memory allocation and resulting in a denial-of-service (DoS) condition. Version 4.81.0 patches the issue.","aliases":["GHSA-99hj-44vg-hfcp","GO-2026-4889"],"modified":"2026-05-18T05:58:39.438223812Z","published":"2026-03-27T18:23:49.791Z","related":["SUSE-SU-2026:1205-1"],"database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/26xxx/CVE-2026-26061.json","cwe_ids":["CWE-770"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/26xxx/CVE-2026-26061.json"},{"type":"ADVISORY","url":"https://github.com/fleetdm/fleet/security/advisories/GHSA-99hj-44vg-hfcp"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-26061"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/fleetdm/fleet","events":[{"introduced":"0"},{"fixed":"9dbcc38ce1046074ac230804f32ae1689026041f"}]}],"versions":["fleetctl-docker-deps-20260129","orbit-v1.51.0","fleetctl-docker-deps-20260113","fleetd-android-v1.0.0","fleetctl-docker-deps-v4.76.1","orbit-v1.50.0","orbit-v1.49.0","orbit-v1.48.0","orbit-v1.45.0","orbit-v1.43.0","orbit-v1.42.0","orbit-v1.41.0","rc-fleetctl-test-v4.63.0","tf-mod-addon-monitoring-v1.5.1","tf-mod-addon-monitoring-v1.5.0","tf-mod-addon-monitoring-v1.4.1","tf-mod-addon-ses-v1.2.0","fleetctl-docker-deps-v4.60.0","tf-mod-root-v1.9.2","tf-mod-byo-ecs-v1.8.1","tf-mod-addon-mdmproxy-v1.0.1","tf-mod-addon-saml-auth-proxy-v1.3.0","tf-mod-addon-ses-v1.1.0","tf-mod-root-v1.11.1","tf-mod-byo-vpc-v1.12.1","tf-mod-addon-waf-alb-v2.0.0","tf-mod-root-v1.11.0","tf-mod-byo-vpc-v1.12.0","tf-mod-byo-ecs-v1.8.0","tf-mod-byo-db-v1.9.0","tf-mod-addon-mdmproxy-v1.0.0","tf-mod-root-v1.10.0","tf-mod-byo-vpc-v1.11.0","tf-mod-byo-ecs-v1.7.0","tf-mod-byo-db-v1.8.0","tf-mod-addon-byo-kinesis-logging-destination-kinesis-v1.0.1","tf-mod-addon-byo-firehose-logging-destination-firehose-v2.0.3","tf-mod-addon-byo-firehose-logging-destination-firehose-v2.0.2","tf-mod-addon-osquery-carve-v1.1.0","tf-mod-addon-osquery-carve-split-account-split-account-v1.1.0","tf-mod-addon-osquery-carve-split-account-osquery-carve-v1.1.0","tf-mod-addon-byo-file-carving-v1.1.0","tf-mod-addon-byo-file-carving-target-account-v1.1.0","tf-mod-root-v1.9.1","tf-mod-byo-vpc-v1.10.1","tf-mod-byo-ecs-v1.6.1","tf-mod-byo-db-v1.7.1","tf-mod-root-v1.9.0","tf-mod-byo-vpc-v1.10.0","tf-mod-byo-ecs-v1.6.0","tf-mod-byo-db-v1.7.0","tf-mod-addon-external-vuln-scans-v2.2.0","fleet-v4.51.0","tf-mod-addon-byo-kinesis-logging-destination-target-account-v1.0.0","tf-mod-addon-byo-kinesis-logging-destination-kinesis-v1.0.0","fleet-v4.50.0","tf-mod-root-v1.8.0","tf-mod-byo-vpc-v1.9.0","tf-mod-byo-ecs-v1.5.0","tf-mod-byo-db-v1.6.0","tf-mod-addon-external-vuln-scans-v2.1.0","fleetd-chrome-v1.3.1","tf-mod-addon-byo-file-carving-v1.0.0","tf-mod-addon-byo-file-carving-target-account-v1.0.0","tf-mod-addon-monitoring-v1.4.0","fleetd-chrome-v1.3.0","fleet-v4.49.0","tf-mod-root-v1.7.3","tf-mod-byo-vpc-v1.8.3","tf-mod-addon-logging-destination-firehose-v1.1.1","fleet-v4.48.0","fleetd-chrome-v1.2.1-beta","tf-mod-root-v1.7.2","tf-mod-byo-vpc-v1.8.2","tf-mod-addon-saml-auth-proxy-v1.2.0","tf-mod-addon-monitoring-v1.3.0","tf-mod-addon-monitoring-v1.2.0","fleet-v4.47.0","tf-mod-addon-mdm-v2.0.0","tf-mod-addon-migrations-v2.0.1","tf-mod-addon-external-vuln-scans-v2.0.2","tf-mod-addon-osquery-carve-v1.0.1","fleet-v4.45.0","fleetd-chrome-v1.2.0-beta","fleetd-chrome-v1.2.0","tf-mod-addon-external-vuln-scans-v2.0.1","tf-mod-root-v1.7.1","tf-mod-byo-vpc-v1.8.1","tf-mod-byo-ecs-v1.4.1","tf-mod-byo-db-v1.5.1","tf-mod-addon-external-vuln-scans-v2.0.0","fleetd-chrome-v1.1.3-beta","fleetd-chrome-v1.1.3","v4.43.4","fleetd-chrome-v1.1.1-beta","fleet-v4.40.0","fleetd-chrome-v1.1.0-beta","fleet-v4.43.0","orbit-v1.20.0","tf-mod-root-v1.7.0","tf-mod-byo-vpc-v1.8.0","tf-mod-byo-db-v1.5.0","tf-mod-byo-db-v1.4.0","tf-mod-addon-migrations-v2.0.0","tf-mod-addon-mdm-v1.5.0","tf-mod-addon-geolite2-v1.0.0","fleet-v4.41.0","tf-mod-root-v1.6.1","tf-mod-byo-vpc-v1.7.1","tf-mod-byo-db-v1.3.2","tf-mod-addon-monitoring-v1.1.3","tf-mod-root-v1.6.0","tf-mod-byo-vpc-v1.7.0","tf-mod-addon-logging-destination-firehose-v1.1.0","tf-mod-addon-logging-alb-v1.2.0","orbit-v1.18.3","tf-mod-addon-monitoring-v1.1.2","orbit-v1.18.2","orbit-v1.18.0-RC","orbit-test-build","fleet-v4.39.0","tf-mod-addon-mdm-v1.4.1","tf-mod-addon-monitoring-v1.1.1","tf-mod-addon-monitoring-v1.1.0","tf-mod-root-v1.5.1","tf-mod-byo-vpc-v1.6.1","tf-mod-byo-db-v1.3.1","tf-mod-root-v1.5.0","tf-mod-byo-vpc-v1.6.0","tf-mod-addon-mdm-v1.4.0","tf-mod-addon-vuln-processing-v1.1.0","fleet-v4.38.0","tf-mod-root-v1.4.0","tf-mod-byo-vpc-v1.5.0","tf-mod-byo-ecs-v1.4.0","tf-mod-byo-db-v1.3.0","tf-mod-addon-saml-auth-proxy-v1.0.0","tf-mod-addon-saml-auth-proxy-v1.1.0","v4.36.0","orbit-v1.15.0","fleet-v4.36.0","orbit-v1.17.0","v4.37.0","fleet-v4.37.0","orbit-v1.16.0","orbit-v1.16.0-2","tf-mod-addon-mdm-v1.3.0","tf-mod-root-v1.3.0","tf-mod-byo-vpc-v1.4.0","tf-mod-byo-ecs-v1.3.0","tf-mod-byo-db-v1.2.0","tf-mod-root-v1.2.0","tf-mod-byo-vpc-v1.3.0","tf-mod-addon-external-vuln-scans-v1.0.0","orbit-v1.14.0","fleet-v4.35.0","tf-mod-addon-mdm-v1.2.2","tf-mod-addon-mdm-v1.2.1","tf-mod-addon-mdm-v1.2.0","tf-mod-byo-vpc-v1.2.0","tf-mod-byo-ecs-v1.2.0","orbit-v1.13.0","fleet-v4.34.0","orbit-v1.12.1","orbit-v1.12.0","tf-mod-root-v1.1.1","tf-mod-addon-byo-firehose-logging-destination-firehose-v2.0.1","fleet-v4.33.0","tf-mod-addon-logging-alb-v1.1.1","tf-mod-addon-logging-alb-v1.1.0","tf-mod-addon-byo-firehose-logging-destination-firehose-v2.0.0","tf-mod-addon-logging-alb-v1.0.2","tf-mod-addon-logging-alb-v1.0.1","orbit-v1.11.0","fleet-v4.32.0","tf-mod-root-v1.1.0","tf-mod-byo-vpc-v1.1.0","tf-mod-byo-ecs-v1.1.0","tf-mod-byo-db-v1.1.0","tf-mod-addon-waf-alb-v1.0.0","tf-mod-addon-vuln-processing-v1.0.0","tf-mod-addon-ses-v1.0.0","tf-mod-addon-osquery-perf-v1.0.0","tf-mod-addon-osquery-carve-v1.0.0","tf-mod-addon-osquery-carve-split-account-split-account-v1.0.0","tf-mod-addon-osquery-carve-split-account-osquery-carve-v1.0.0","tf-mod-addon-monitoring-v1.0.0","tf-mod-addon-mdm-v1.1.0","tf-mod-addon-logging-alb-v1.0.0","tf-mod-addon-byo-firehose-logging-destination-target-account-v1.1.0","tf-mod-addon-byo-firehose-logging-destination-firehose-v1.1.0","tf-mod-addon-bfldf-v1.1.0","fleet-v4.31.0","orbit-v1.10.0","fleet-v4.30.0","orbit-v1.9.1","v4.28.0","fleet-v4.28.0","orbit-v1.9.0","fleet-v4.29.0","tf-mod-addon-mdm-v1.0.0","orbit-v1.8.0","tf-mod-root-v1.0.0","tf-mod-byo-vpc-v1.0.0","tf-mod-byo-ecs-v1.0.0","tf-mod-byo-db-v1.0.0","tf-mod-addon-migrations-v1.0.0","tf-mod-addon-logging-destination-firehose-v1.0.0","tf-mod-addon-byo-firehose-logging-destination-target-account-v1.0.0","tf-mod-addon-byo-firehose-logging-destination-firehose-v1.0.0","orbit-v1.7.0","fleet-v4.27.0","fleet-v4.26.0","orbit-v1.5.0","fleet-v4.25.0","orbit-v1.4.1","fleet-v4.24.0","orbit-v1.4.0","orbit-v1.4.0-rc","fleet-v4.23.0","orbit-v1.3.0-rc","orbit-v1.3.0","fleet-v4.22.0","orbit-v1.2.0-rc1","fleet-v4.20.0","fleet-v4.19.0","orbit-v1.1.0","fleet-v4.18.0","fleet-v4.17.0","orbit-v1.0.0","fleet-v4.16.0","orbit-v0.0.13","fleet-v4.15.0","orbit-v0.0.12","orbit-v0.0.11","fleet-v4.14.0","orbit-v0.0.9","fleet-v4.13.0","fleet-v4.12.0","v0.0.7","orbit-v0.0.7","fleet-v4.11.0","fleet-v4.10.0","v0.0.6","orbit-v0.0.6","fleet-v4.8.0","v0.0.5","v0.0.4","orbit-v0.0.5","orbit-v0.0.4","fleet-v4.7.0","fleet-v4.6.1","fleet-v4.6.0","fleet-v4.5.0","fleet-v4.4.0","fleet-v4.3.1","fleet-v4.3.0","fleet-v4.2.2","fleet-v4.2.0","v4.1.0","v4.0.1","v4.0.0","v4.0.0-rc3","3.13.0","3.12.0","3.11.0","3.10.1","3.10.0","3.9.0","3.8.0","3.7.3","3.7.1","3.7.2","3.7.0","3.6.0","3.5.1","3.5.0","3.4.0","3.3.0","3.2.0","3.1.0","3.0.0","2.6.0","2.5.0","2.4.0","2.3.0","2.2.0","2.1.2","2.1.1","2.1.0","2.0.2","2.0.1","2.0.0","2.0.0-rc5","2.0.0-rc4","2.0.0-rc3","2.0.0-rc2","2.0.0-rc1","1.0.7","1.0.6","1.0.5","1.0.4","1.0.3","1.0.2","1.0.1","1.0.0","1.0.0-rc2","1.0.0-rc1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-26061.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"}]}