Primary

Context

Fleet Password Management Vulnerability Allowing Token Reuse After Password Change

Vulnerability

Patched

A vulnerability exists in Fleet's password management logic, allowing password reset tokens to remain valid for 24 hours after a user changes their password. This could enable the reuse of a stale token to reset the password again, potentially leading to temporary account takeover. The issue affects Fleet versions prior to 4.81.0.

Impact

Exploitation of this vulnerability could allow an attacker to reuse a valid password reset token to reset a user's password, even after the user has changed it, leading to temporary account takeover.

Remediation

Users should update to Fleet version 4.81.0 or later. If a password reset token may have been exposed, wait for the token to expire before reusing the account, or contact a Fleet administrator to invalidate active sessions.

Added: Mar 27, 2026, 7:29 PM

Updated: Mar 27, 2026, 7:29 PM

Vulnerability Rating

Custom Algorithm

spread

0.8

impact

1.3

exploitability

5.2

remediation

7.9

relevance

4.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.8

impact

1.3

exploitability

5.2

remediation

7.9

relevance

4.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Fleet Password Management Vulnerability Allowing Token Reuse After Password Change

Vulnerability

Impact

Remediation

Affected Products

Fleet

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating