CVE-2026-34389: Authentication Bypass via Invitation Token Mishandling in Fleet

Fleet is an open-source device management software solution used to monitor and manage endpoint infrastructure. It exposes a web-based administration interface that includes an invitation mechanism for onboarding new users. Administrators generate these invitations to grant specific roles, such as Global Admin, to target email addresses.

The vulnerability, tracked as CVE-2026-34389, resides within the server-side logic responsible for processing these user invitations. Specifically, it involves the account registration endpoint that consumes an invitation token and finalizes the user provisioning process.

Prior to version 4.81.0, the application failed to enforce consistency between the email address submitted by the user and the email address originally bound to the invitation token. This architectural flaw allows an unauthenticated attacker who obtains a valid token to register an account under an arbitrary email address while assuming the role intended for the original recipient.

The core issue is classified as Improper Authentication (CWE-287). It manifests in the final stage of the user invitation workflow. When an administrator creates an invite, Fleet generates a unique token and stores it in the database alongside the intended recipient's email address and assigned role.

Upon navigating to the registration link, the invited user submits a payload containing their desired name, password, and email address. The server-side registration handler receives this payload and verifies the cryptographic validity and expiration status of the provided token.

However, the vulnerable implementation omitted a critical validation step. It did not cross-reference the email address provided in the HTTP request payload with the email address stored in the database record for that specific token. Consequently, the server created a new user record utilizing the attacker-supplied email address, while querying the token record solely to apply the predefined role assignments.

This oversight decouples the token's authorization context from the intended identity. The system trusts the token as proof of authorization to create an account with a specific role, but erroneously accepts the user-supplied email as the definitive identity for that account.

Exploitation requires the attacker to obtain a valid, unexpired invitation token. These tokens are typically transmitted via email but are frequently shared out-of-band in communication channels such as Slack, Microsoft Teams, or internal wikis where exposure is more likely.

Once a token is acquired, the attacker navigates to the public-facing Fleet registration endpoint. They populate the registration form with their own email address, such as attacker@evil.com, alongside a password of their choosing.

Submitting the form triggers the vulnerable server-side logic. The application processes the token, confirms it is active, and provisions the new account. The system applies the role linked to the token, which may include highly privileged roles like Global Admin.

The attacker now possesses a fully functional, authenticated session on the Fleet instance. Since the account uses their specified email address, they retain persistent access and control over the platform, bypassing the administrator's original identity constraints.

The primary impact of this vulnerability is a complete compromise of the authorization boundary surrounding new user onboarding. By successfully exploiting this flaw, an unauthorized actor gains persistent, authenticated access to the Fleet instance.

The severity of the compromise scales directly with the privilege level assigned to the leaked invitation token. If the token was generated for a Global Admin role, the attacker achieves total administrative control over the device management platform.

Administrative access allows the attacker to manipulate device configurations, issue commands to managed endpoints, access sensitive telemetry data, and further compromise the network infrastructure. The integrity of the system is fundamentally undermined.

According to the CVSS 4.0 framework, the vulnerability carries a base score of 4.9. This score reflects the low attack complexity and lack of required user interaction, balanced against the prerequisite of obtaining a valid invitation token prior to exploitation.

The definitive resolution for CVE-2026-34389 is upgrading the Fleet installation to version 4.81.0 or later. This release introduces strict server-side validation to ensure the submitted email address matches the address bound to the invitation token before provisioning the account.

If an immediate upgrade is not feasible, administrators must implement strict operational controls regarding invitation links. These links should be treated as sensitive credentials and transmitted exclusively through secure, direct communication channels.

Administrators should proactively revoke and reissue any invitation links suspected of exposure in semi-public channels. Additionally, applying the principle of least privilege by issuing invites with minimal permissions and manually elevating roles post-registration reduces the potential impact of a leaked token.

Security teams should audit the user directory for recent registrations. Reviewing the email domains of newly created accounts helps identify unauthorized access attempts that may have exploited this vulnerability prior to patching.