CVE-2026-23517

Fleet's Open Door Policy: Unrestricted pprof Exposure

Alon Barad
Alon Barad
Software Engineer

Jan 20, 2026·6 min read·8 visits

Executive Summary (TL;DR)

The Fleet server accidentally exposed Go's debugging endpoints (`/debug/pprof`) to any user with a valid session token. This means a low-level 'Observer' can dump the server's heap memory (stealing secrets) or trigger CPU profiles (crashing the server). Fixed in versions 4.78.3, 4.77.1, etc.

A critical access control failure in Fleet server allows any authenticated user—even those with minimal privileges—to access Go's runtime profiling tools (`pprof`), leading to potential data leakage and Denial of Service.

Official Patches

FleetDMPull Request: Revise auth requirements for debug endpoints

Fix Analysis (1)

Technical Appendix

CVSS Score
7.5/ 10
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
EPSS Probability
0.04%
Top 100% most exploited

Affected Systems

Fleet Server (FleetDM)

Affected Versions Detail

Product
Affected Versions
Fixed Version
Fleet
FleetDM
< 4.53.34.53.3
Fleet
FleetDM
< 4.75.24.75.2
Fleet
FleetDM
< 4.76.24.76.2
Fleet
FleetDM
< 4.77.14.77.1
Fleet
FleetDM
< 4.78.34.78.3
AttributeDetail
CWE IDCWE-284 (Improper Access Control)
Attack VectorNetwork (Authenticated)
CVSS Estimate7.5 (High)
ImpactInfo Disclosure & DoS
ComponentdebugAuthenticationMiddleware
KEV StatusNot Listed

MITRE ATT&CK Mapping

T1212Exploitation for Credential Access
Credential Access
T1499Endpoint Denial of Service
Impact
T1082System Information Discovery
Discovery
CWE-284
Improper Access Control

The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Known Exploits & Detection

ManualStandard Go pprof client tools can be used against the exposed endpoints.

Vulnerability Timeline

Patch commit merged into main branch
2026-01-12
GHSA-4r5r-ccr6-q6f6 published
2026-01-20
CVE-2026-23517 assigned
2026-01-20