Following is the vulnerability report of Fleet and its dependencies.
- Author: @lucasmrod
- Status:
not_affected - Status notes: There are no path-based authorization interceptors. The only interceptors are grpc_recovery (panic handlers). CVE-2026-33186 specifically requires path-based authz rules (like grpc/authz RBAC policies) that compare against info.FullMethod — Fleet doesn't use any.
- Products::
fleet,pkg:golang/google.golang.org/grpc - Justification:
vulnerable_code_cannot_be_controlled_by_adversary - Timestamp: 2026-03-24 12:38:53
- Author: @lucasmrod
- Status:
not_affected - Status notes: The vulnerability is in zlib's contrib/untgz standalone demo utility, not in the core zlib library.
- Products::
fleet,pkg:apk/alpine/zlib@1.3.1-r2 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-03-13 12:01:11
- Author: @lucasmrod
- Status:
not_affected - Status notes: Fleet uses Go cryptography packages.
- Products::
fleet,pkg:apk/alpine/openssl@3.3.3-r0?os_name=alpine&os_version=3.21 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2025-10-01 10:09:03
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleet uses Go's crypto and TLS implementation.
- Products::
fleet,pkg:apk/alpine/libcrypto3,pkg:apk/alpine/libssl3 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-01-03 15:15:53
- Author: @lucasmrod
- Status:
not_affected - Status notes: Fleet does not mutate CA pool store between TLS sessions.
- Products::
fleet,pkg:golang/stdlib - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-03-13 13:23:41
- Author: @lucasmrod
- Status:
fixed - Products::
fleet@v4.78.* - Timestamp: 2025-12-10 19:26:25
- Author: @lucasmrod
- Status:
affected - Status notes: This is not a CRITICAL CVE, but we still recommend upgrading to 4.78.* when it's available.
- Products::
fleet@v4.77.0,fleet@v4.76.0,fleet@v4.76.1,fleet@v4.75.0,fleet@v4.75.1,pkg:golang/stdlib@1.25.3 - Action statement:
No action statement provided - Timestamp: 2025-12-10 19:26:10
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleet does not use OPA in server mode, it uses it as a library.
- Products::
fleet,pkg:golang/github.com/open-policy-agent/opa@v0.44.0,pkg:golang/github.com/open-policy-agent/opa@0.44.0 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2025-05-05 20:29:07
- Author: @lucasmrod
- Status:
not_affected - Status notes: The token format being validated before the call to ParseUnverified.
- Products::
fleet,pkg:golang/github.com/golang-jwt/jwt/v4 - Justification:
inline_mitigations_already_exist - Timestamp: 2025-04-10 15:23:54
- Author: @lucasmrod
- Status:
fixed - Products::
pkg:golang/github.com/fleetdm/fleet/v4,cpe:2.3:a:fleetdm:fleet:v4.64.2:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.63.2:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.62.4:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.58.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.53.2:*:*:*:*:*:*:* - Timestamp: 2025-05-12 16:30:30
- Author: @lucasmrod
- Status:
affected - Products::
cpe:2.3:a:fleetdm:fleet:v4.64.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.64.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.63.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.63.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.62.3:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.62.2:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.62.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.62.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.61.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.60.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.60.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.59.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.59.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.58.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.57.3:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.57.2:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.57.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.57.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.56.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.55.2:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.55.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.55.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.54.2:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.54.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.54.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.53.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.53.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.52.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.51.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.51.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.50.2:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.50.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.50.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.49.4:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.49.3:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.49.2:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.49.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.49.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.48.3:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.48.2:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.48.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.48.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.47.3:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.47.2:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.47.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.47.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.46.2:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.46.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.46.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.45.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.45.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.44.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.44.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.43.3:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.43.2:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.43.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.43.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.42.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.41.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.41.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.40.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.39.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.38.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.38.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.37.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.36.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.35.2:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.35.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.35.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.34.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.34.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.33.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.33.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.32.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.31.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.31.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.30.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.30.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.29.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.29.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.28.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.28.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.27.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.27.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.26.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.25.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.24.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.24.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.23.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.22.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.22.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.21.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.20.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.20.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.19.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.19.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.18.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.17.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.17.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.16.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.15.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.14.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.13.2:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.13.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.13.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.12.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.12.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.11.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.10.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.9.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.9.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.8.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.7.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.6.2:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.6.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.6.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.5.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.5.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.4.3:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.4.2:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.4.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.4.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.3.2:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.3.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.3.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.2.4:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.2.3:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.2.2:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.2.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.2.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.1.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.0.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.0.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.0.0-rc3:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.0.0-rc2:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v4.0.0-rc1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v3.13.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v3.12.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v3.11.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v3.10.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v3.10.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v3.9.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v3.8.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v3.7.4:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v3.7.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v3.7.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v3.6.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v3.5.1:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v3.5.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v3.4.0:*:*:*:*:*:*:*,cpe:2.3:a:fleetdm:fleet:v3.3.0:*:*:*:*:*:*:* - Action statement:
Disable SAML SSO authentication. - Timestamp: 2025-05-12 16:13:23
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleet does not perform any EUC-KR to UTF-8 translation by libc.
- Products::
fleet,pkg:apk/alpine/musl@1.2.5-r8?os_name=alpine&os_version=3.21 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2025-04-14 16:30:01
- Author: @lucasmrod
- Status:
not_affected - Status notes: Fleet does not perform any verification of policies in client certificates (CertificatePolicies not set in VerifyOptions).
- Products::
fleet,pkg:golang/stdlib@1.24.2 - Justification:
vulnerable_code_cannot_be_controlled_by_adversary - Timestamp: 2025-06-23 16:48:42
- Author: @lucasmrod
- Status:
not_affected - Status notes: The fleetctl executable is unused in the fleetdm/fleet docker image. The executable was removed in v4.64.0.
- Products::
fleet,pkg:golang/github.com/go-git/go-git/v5 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2025-04-10 15:43:15
- Author: @lucasmrod
- Status:
not_affected - Status notes: The fleetctl executable is unused in the fleetdm/fleet docker image. The executable was removed in v4.64.0.
- Products::
fleet,pkg:golang/github.com/go-git/go-git/v5 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2025-04-10 15:42:55
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleet uses Go's crypto and TLS implementation.
- Products::
fleet,pkg:apk/alpine/libcrypto3,pkg:apk/alpine/libssl3 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-01-03 15:15:53
- Author: @lucasmrod
- Status:
not_affected - Status notes: Fleet doesn't run on Windows, so it's not affected by this vulnerability.
- Products::
fleet,pkg:golang/github.com/open-policy-agent/opa - Justification:
vulnerable_code_cannot_be_controlled_by_adversary - Timestamp: 2025-05-05 20:54:14
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleet uses Go TLS implementation.
- Products::
fleet,pkg:apk/alpine/libcrypto3,pkg:apk/alpine/libssl3 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2025-04-10 15:15:53
- Author: @lucasmrod
- Status:
not_affected - Status notes: The fleetctl executable is unused in the fleetdm/fleet docker image. The executable was removed in v4.64.0.
- Products::
fleet,pkg:golang/github.com/goreleaser/nfpm/v2 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2025-04-10 15:28:30
- Author: @lucasmrod
- Status:
not_affected - Status notes: Vulnerability only affects Java/JVM web applications that use Jackson's asynchronous (non-blocking) JSON parser.
- Products::
fleetctl,pkg:maven/com.fasterxml.jackson.core/jackson-core@2.18.0 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-03-13 12:30:33
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl does not validate any XML signatures.
- Products::
fleetctl,pkg:golang/github.com/russellhaering/goxmldsig - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-03-23 16:44:57
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl uses admin controlled URLs to manage Fleet. The primary attack vector is social engineering an admin into using a crafted URL.
- Products::
fleetctl,pkg:golang/google.golang.org/grpc - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-03-23 19:20:41
- Author: @lucasmrod
- Status:
not_affected - Status notes: This is a vulnerability in Fleet, not fleetctl.
- Products::
fleetctl,pkg:golang/github.com/fleetdm/fleet/v4 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-03-13 12:33:34
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl uses admin controlled URLs to manage Fleet. The primary attack vector is social engineering an admin into using a crafted URL.
- Products::
fleetctl,pkg:golang/stdlib - Justification:
vulnerable_code_cannot_be_controlled_by_adversary - Timestamp: 2026-03-23 19:12:15
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl does not process XML using libexpat1, and when genrating packages the XMLs are defined.
- Products::
fleetctl,pkg:deb/debian/libexpat1 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-01-03 15:15:53
- Author: @lucasmrod
- Status:
not_affected - Status notes: This vulnerability affected fleet, not fleetctl, adding it here to avoid false positives.
- Products::
fleetctl,pkg:golang/github.com/fleetdm/fleet/v4 - Justification:
component_not_present - Timestamp: 2026-01-30 09:25:41
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleet uses Go's crypto and TLS implementation.
- Products::
fleetctl,pkg:deb/debian/libssl3,pkg:deb/debian/openssl - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-01-03 15:15:53
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetdm/fleetctl does not process end-user provided PDF files with Java when generating fleetd installers. The only PDF processing code is in Go for EULA documents.
- Products::
fleetctl,pkg:maven/org.apache.tika/tika-core - Justification:
vulnerable_code_cannot_be_controlled_by_adversary - Timestamp: 2025-12-10 18:12:45
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetdm/fleetctl does not use libpng. Fleet components use the 'image/png' Go package for png processing.
- Products::
fleetctl,pkg:deb/debian/libpng16-16 - Justification:
vulnerable_code_cannot_be_controlled_by_adversary - Timestamp: 2025-12-10 19:04:58
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetdm/fleetctl does not use libpng. Fleet components use the 'image/png' Go package for png processing.
- Products::
fleetctl,pkg:deb/debian/libpng16-16 - Justification:
vulnerable_code_cannot_be_controlled_by_adversary - Timestamp: 2025-12-10 19:04:42
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetdm/fleetctl does not use libpng. Fleet components use the 'image/png' Go package for png processing.
- Products::
fleetctl,pkg:deb/debian/libpng16-16 - Justification:
vulnerable_code_cannot_be_controlled_by_adversary - Timestamp: 2025-12-10 19:04:07
- Author: @lucasmrod
- Status:
fixed - Products::
fleetctl@v4.78.* - Timestamp: 2025-12-10 19:26:44
- Author: @lucasmrod
- Status:
affected - Status notes: This is not a CRITICAL CVE, but we still recommend upgrading to 4.78.* when it's available.
- Products::
fleetctl@v4.77.0,fleetctl@v4.76.0,fleetctl@v4.76.1,fleetctl@v4.75.0,fleetctl@v4.75.1,pkg:golang/stdlib@1.25.3 - Action statement:
No action statement provided - Timestamp: 2025-12-10 19:26:35
- Author: @sgress454
- Status:
not_affected - Status notes: The affected dependency (libxml2) is not utilized by fleetctl itself, but by Apple’s iTMSTransporter tool, which is included in the Docker image for code signing purposes. fleetctl does not process untrusted XML input. Additionally, this CVE describes a denial-of-service (DoS) vulnerability, and fleetctl is a CLI tool, not a long-running service, and therefore is not susceptible to DoS-style exploitation.
- Products::
fleetctl,pkg:deb/debian/libxml2@2.9.14+dfsg-1.3~deb12u1,pkg:deb/debian/libxml2@2.9.14+dfsg-1.3~deb12u2 - Justification:
vulnerable_code_cannot_be_controlled_by_adversary - Timestamp: 2025-06-13 15:57:38
- Author: @sgress454
- Status:
not_affected - Status notes: The affected dependency (libxml2) is not utilized by fleetctl itself, but by Apple’s iTMSTransporter tool, which is included in the Docker image for code signing purposes. fleetctl does not process untrusted XML input. Additionally, this CVE describes a denial-of-service (DoS) vulnerability, and fleetctl is a CLI tool, not a long-running service, and therefore is not susceptible to DoS-style exploitation.
- Products::
fleetctl,pkg:deb/debian/libxml2@2.9.14+dfsg-1.3~deb12u1 - Justification:
vulnerable_code_cannot_be_controlled_by_adversary - Timestamp: 2025-06-13 15:57:25
- Author: @sgress454
- Status:
not_affected - Status notes: The affected dependency (libxml2) is not utilized by fleetctl itself, but by Apple’s iTMSTransporter tool, which is included in the Docker image for code signing purposes. fleetctl does not process untrusted XML input. Additionally, this CVE describes a denial-of-service (DoS) vulnerability, and fleetctl is a CLI tool, not a long-running service, and therefore is not susceptible to DoS-style exploitation.
- Products::
fleetctl,pkg:deb/debian/libxml2@2.9.14+dfsg-1.3~deb12u1,pkg:deb/debian/libxml2@2.9.14+dfsg-1.3~deb12u2 - Justification:
vulnerable_code_cannot_be_controlled_by_adversary - Timestamp: 2025-06-13 15:56:50
- Author: @lucasmrod
- Status:
not_affected - Status notes: The fleetctl tool is used by IT admins to generate packages so the vulnerable code cannot be controlled by attackers.
- Products::
fleetctl,pkg:maven/commons-beanutils/commons-beanutils - Justification:
vulnerable_code_cannot_be_controlled_by_adversary - Timestamp: 2025-06-02 07:33:44
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl does not use OPA.
- Products::
fleetctl,pkg:golang/github.com/open-policy-agent/opa - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2025-05-06 07:47:31
- Author: @lucasmrod
- Status:
not_affected - Status notes: Vulnerability affects web servers, not fleetctl.
- Products::
fleetctl,pkg:maven/org.springframework/spring-core - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2025-09-22 10:27:40
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl does not use liblzma5.
- Products::
fleetctl,pkg:deb/debian/liblzma5 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2025-04-09 13:24:20
- Author: @lucasmrod
- Status:
not_affected - Status notes: This vulnerability affected fleet, not fleetctl, adding it here to avoid false positives.
- Products::
fleetctl,pkg:golang/github.com/fleetdm/fleet/v4 - Justification:
component_not_present - Timestamp: 2025-09-12 09:25:41
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl uses Go's crypto and TLS implementation.
- Products::
fleetctl,pkg:deb/debian/openssl,pkg:deb/debian/libssl3 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2026-01-03 15:15:53
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl does not use Java.
- Products::
fleetctl,pkg:maven/com.google.protobuf/protobuf-java - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2025-04-10 07:34:26
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl does not use libaom3.
- Products::
fleetctl,pkg:deb/debian/libaom3 - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2025-04-15 10:28:21
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl does not use zlib C library.
- Products::
fleetctl,pkg:deb/debian/zlib1g - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2025-04-15 10:17:19
- Author: @getvictor
- Status:
not_affected - Status notes: When packaging linux files, fleetctl does not use global permissions. It was verified that packed fleetd package files do not have group/global write permissions.
- Products::
fleetctl,pkg:golang/github.com/goreleaser/nfpm/v2 - Justification:
vulnerable_code_cannot_be_controlled_by_adversary - Timestamp: 2025-04-09 10:26:02
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl does not use Java.
- Products::
fleetctl,pkg:maven/org.codehaus.jackson/jackson-mapper-asl - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2025-04-15 10:31:31
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl does not use Java.
- Products::
fleetctl,pkg:maven/xerces/xercesImpl - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2025-04-10 07:36:31
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl does not use Java.
- Products::
fleetctl,pkg:maven/xerces/xercesImpl - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2025-04-10 14:46:52
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl does not process media files when using fleetdm/wix.
- Products::
wix,pkg:deb/debian/libgstreamer-plugins-base1.0-0 - Justification:
vulnerable_code_cannot_be_controlled_by_adversary - Timestamp: 2026-03-24 12:23:52
- Author: @lucasmrod
- Status:
not_affected - Status notes: No attacker-controlled allocation arguments. The fleetdm/wix container runs WiX toolset commands (heat.exe, candle.exe, light.exe) via Wine to compile .wxs files into an MSI. The only input is a volume-mounted temp directory containing Fleet-generated files (main.wxs, heat.wxs, the orbit root directory). None of this feeds attacker-controlled size/alignment values to memalign.
- Products::
wix,pkg:deb/debian/libc6,pkg:deb/debian/libc-bin - Justification:
vulnerable_code_cannot_be_controlled_by_adversary - Timestamp: 2026-03-24 12:18:16
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl does not do PNG processing when using fleetdm/wix.
- Products::
wix,pkg:deb/debian/libpng16-16 - Justification:
vulnerable_code_cannot_be_controlled_by_adversary - Timestamp: 2025-12-19 18:03:45
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl does not do PNG processing when using fleetdm/wix.
- Products::
wix,pkg:deb/debian/libpng16-16 - Justification:
vulnerable_code_cannot_be_controlled_by_adversary - Timestamp: 2025-12-19 18:03:33
- Author: @lucasmrod
- Status:
not_affected - Status notes: fleetctl does not do PNG processing when using fleetdm/wix.
- Products::
wix,pkg:deb/debian/libpng16-16 - Justification:
vulnerable_code_cannot_be_controlled_by_adversary - Timestamp: 2025-12-19 18:02:56
- Author: @lucasmrod
- Status:
not_affected - Status notes: The WiX toolset is unaffected by the perl vulnerability.
- Products::
wix,pkg:deb/debian/perl-base - Justification:
vulnerable_code_not_in_execute_path - Timestamp: 2025-10-01 08:36:42
- Author: @lucasmrod
- Status:
not_affected - Status notes: Use of mkbom and xar from fleetdm/bomutils have admin controlled inputs.
- Products::
bomutils,pkg:deb/debian/libc6,pkg:deb/debian/libc-bin - Justification:
vulnerable_code_cannot_be_controlled_by_adversary - Timestamp: 2026-03-24 08:41:27