Fleet User Invitation Email Validation Vulnerability Allowing Arbitrary Email Account Creation

A vulnerability in Fleet's user invitation process prior to version 4.81.0 allowed for the creation of accounts under arbitrary email addresses. This issue arose because the email provided during invite acceptance was not validated against the one associated with the invite. An attacker with a valid invite token could exploit this flaw, creating an account with the desired email while inheriting the role granted by the invite, including global admin rights.

Impact

Exploitation of this vulnerability allows an attacker with a valid invite token to create a Fleet account with a chosen email address, inheriting the assigned role and team memberships from the invite. This could include elevated privileges such as global admin.

Remediation

Users are advised to upgrade to Fleet version 4.81.0 or later. If an immediate upgrade is not possible, treat invite links as sensitive credentials, avoid sharing them in public or semi-public channels, and revoke and reissue invites if there is concern that an invite link may have been exposed.