Volerion logoVolerion
Volerion logoVolerion

Fleet SAML Authentication Vulnerability Allowing Unauthorized User Provisioning

Vulnerability

A vulnerability in Fleet versions through 4.64.1 allows attackers to manipulate SAML responses, creating forged authentication assertions. This could lead to the unauthorized provisioning of administrative user accounts if Just-In-Time (JIT) provisioning is enabled, or the creation of new accounts linked to fraudulent assertions if MDM enrollment is active. The issue arises from inadequate validation of SAML responses, potentially allowing attackers to gain unauthorized access to Fleet, including administrative privileges and access to device data and configuration management.

Impact

Exploitation of this vulnerability could result in unauthorized access to Fleet, including administrative rights, access to device data, and the ability to modify configurations.

Remediation

Users can upgrade to Fleet versions 4.64.2, 4.63.2, 4.62.4, 4.58.1, or 4.53.2. If an immediate upgrade is not feasible, Fleet users should temporarily disable single-sign-on (SSO) and revert to password authentication.

Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm
spread
0.8
impact
5.0
exploitability
8.1
remediation
8.3
relevance
0.0
threat
3.2
urgency
2.9
incentive
5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.