CVE-2026-46356: Fleet: IP spoofing allows bypassing API rate limiting

May 14, 2026

A vulnerability in Fleet’s IP extraction logic allows unauthenticated attackers to bypass API rate limiting by spoofing client IP headers. This may allow brute-force login attempts or other abuse against Fleet instances exposed to the public internet.

References

github.com/advisories/GHSA-mxmp-wr3w-rvqx
github.com/fleetdm/fleet/releases/tag/fleet-v4.80.1
github.com/fleetdm/fleet/security/advisories/GHSA-mxmp-wr3w-rvqx
nvd.nist.gov/vuln/detail/CVE-2026-46356

Code Behaviors & Features

Detect and mitigate CVE-2026-46356 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →