Fleet Broken Authorization Vulnerability in Certificate Template Deletion API

A broken authorization vulnerability has been identified in Fleet's certificate template deletion API, affecting versions prior to 4.80.1. This issue allows team administrators to delete certificate templates belonging to other teams within the same Fleet instance. The vulnerability arises because the batch deletion endpoint validates authorization using a user-supplied team identifier but fails to ensure that the certificate template IDs being deleted actually belong to that team. As a result, a team administrator could inadvertently disrupt certificate-based workflows, such as device enrollment, Wi-Fi authentication, VPN access, or other certificate-dependent configurations for the affected teams. Notably, this vulnerability does not permit privilege escalation, access to sensitive data, or compromise of Fleet's control plane, with the impact being limited to the integrity and availability of certificate templates across teams.

Impact

Exploitation of this vulnerability could lead to unauthorized deletion of certificate templates for teams within the same Fleet instance, disrupting certificate-based workflows such as device enrollment, Wi-Fi authentication, VPN access, or other certificate-dependent configurations for the affected teams.

Remediation

Users can upgrade to Fleet version 4.80.1 or later to address this vulnerability. If an immediate upgrade is not possible, it is recommended to restrict access to certificate template management to trusted users and avoid delegating team administrator permissions where not strictly required.