CVE-2026-34389: Fleet's user account creation via invite does not enforce invited email address

March 30, 2026

Fleet contained an issue in the user invitation flow where the email address provided during invite acceptance was not validated against the email address associated with the invite. An attacker who obtained a valid invite token could create an account under an arbitrary email address while inheriting the role granted by the invite, including global admin.

References

github.com/advisories/GHSA-4f9r-x588-pp2h
github.com/fleetdm/fleet
github.com/fleetdm/fleet/security/advisories/GHSA-4f9r-x588-pp2h
nvd.nist.gov/vuln/detail/CVE-2026-34389

Code Behaviors & Features

Detect and mitigate CVE-2026-34389 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →