Primary

Context

Fleet Rate Limiting Bypass Vulnerability via Unvalidated Client IP Headers

Vulnerability

Patched

A vulnerability in Fleet device management software prior to version 4.80.1 allowed clients to spoof their IP addresses by manipulating HTTP headers such as X-Forwarded-For, X-Real-IP, and True-Client-IP. This exploitation could bypass per-IP rate limits, enhancing the effectiveness of brute-force or password-spraying attacks on authentication endpoints. The issue does not facilitate authentication bypass, privilege escalation, data exposure, or remote code execution on its own.

Impact

Exploitation of this vulnerability could lead to a bypass of per-IP rate limits, allowing for more effective brute-force or password-spraying attacks against authentication endpoints.

Remediation

Users can upgrade to Fleet version 4.80.1 or later, or run Fleet behind a trusted reverse proxy or load balancer that overwrites client IP headers.

Added: May 14, 2026, 9:35 PM

Updated: May 14, 2026, 9:35 PM

Vulnerability Rating

Custom Algorithm

spread

0.8

impact

0.6

exploitability

7.0

remediation

8.3

relevance

8.3

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.8

impact

0.6

exploitability

7.0

remediation

8.3

relevance

8.3

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Fleet Rate Limiting Bypass Vulnerability via Unvalidated Client IP Headers

Vulnerability

Impact

Remediation

Affected Products

Fleet

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating