Fleet, the open-source osquery fleet manager from FleetDM, shipped with a critical flaw in its v4 user invitation flow. Attackers holding a valid invite token could register an account using any email address they wanted, while claiming the full privileges tied to that invite—including global admin rights. This bypassed email validation entirely, turning leaked invites into backdoors for unauthorized access.
The vulnerability surfaced in Fleet v4, the current major release branch powering thousands of self-hosted deployments for endpoint visibility and management. Fleet helps security teams deploy osquery agents across macOS, Windows, and Linux fleets, querying device data for threat hunting and compliance. With over 7,500 GitHub stars and adoption by enterprises like Shopify and Urban Meyer, it’s a staple in SecOps stacks. But this bug undermines that trust: a single leaked invite grants an attacker not just a user seat, but control over endpoint policies, queries, and potentially sensitive host data.
Technical Breakdown
Here’s how it worked. Admins generate invites via the Fleet UI or API, specifying an email, role (e.g., global admin, maintainer), and team memberships. The invite produces a token, typically shared via email or link. When a user accepts, Fleet’s backend should verify the provided email matches the invite’s target. It didn’t. Code review shows the acceptance endpoint in server/service/invite.go skipped this check, storing the user’s self-reported email instead.
An attacker snags the token—say, from a Slack channel, phishing, or shoulder-surfing—then hits the accept endpoint with their chosen email. Boom: new account created, roles inherited, no further hurdles. Tokens aren’t explicitly single-use in docs, but they expire (default 7 days). No auth bypass beyond invites; you still need the token first. Discovered by fuzzztf via responsible disclosure, Fleet patched it in v4.12.0+ by enforcing email matching server-side.
Real-World Risks and Why It Matters
This isn’t theoretical. Fleet runs in air-gapped or cloud setups managing 10,000+ endpoints per org. An attacker with admin via fake email gains:
- Full query access to osquery results—host processes, files, network connections.
- Policy deployment: Push scripts, enroll new agents, or disrupt operations.
- Team escalations: Join restricted teams, pivot to other users.
Impact score: CVSS pending, but high (7.5+). It demands invite exposure, common in remote teams sharing links via chat or email. No RCE or data dump without account creation, but that’s cold comfort—once in, an attacker loiters as “admin@evil.com,” auditing logs or exfiltrating packs.
Broader context: Invite flaws plague SaaS tools (e.g., past Okta, Auth0 slips). Fleet’s self-hosted nature amplifies risk—no vendor SOC to catch anomalies. Orgs using Fleet for EDR-like workflows face endpoint compromise chains: attacker → Fleet admin → mass agent updates → persistence. Stats from osquery’s ecosystem show 100k+ daily active fleets; even 1% exposure means widespread pain.
Skeptical take: Fleet fixed it promptly, crediting fuzzztf. But v4 deps on Go 1.21+, Postgres, Redis—audit your fork. No evidence of exploits in wild, per Fleet’s advisory, but silent compromises thrive on auth skips like this.
Fixes, Workarounds, and OpSec
Upgrade to Fleet v4.12.0 or later immediately. Docker users:
docker pull fleetdm/fleet:latest then redeploy. Helm charts updated too. Verify via changelog or ./fleet --version.
No upgrade? Clamp down:
- Handle invites like API keys: DM only, never public channels.
- Revoke suspects via UI/API:
DELETE FROM invites WHERE token = '...'; - Issue low-priv invites (observer role), promote post-verification.
- Enable invite expiry (min 24h), audit logs for anomalies.
Post-patch, rotate all active invites. Monitor Fleet’s GitHub issues for related vulns—osquery ecosystem moves fast. Questions? Hit security@fleetdm.com. This underscores a hard truth: Even solid tools like Fleet falter on basics. Treat every token as a live grenade.
