CVE-2026-23518: Fleet has a JWT signature bypass vulnerability in Azure AD MDM enrollment

January 20, 2026 (updated January 22, 2026)

A vulnerability in Fleet’s Windows MDM enrollment flow could allow an attacker to submit forged authentication tokens that are not properly validated. Because JWT signatures were not verified, Fleet could accept attacker-controlled identity claims, enabling enrollment of unauthorized devices under arbitrary Azure AD user identities.

References

github.com/advisories/GHSA-63m5-974w-448v
github.com/fleetdm/fleet
github.com/fleetdm/fleet/commit/e225ef57912c8f4ac8977e24b5ebe1d9fd875257
github.com/fleetdm/fleet/security/advisories/GHSA-63m5-974w-448v
nvd.nist.gov/vuln/detail/CVE-2026-23518

Code Behaviors & Features

Detect and mitigate CVE-2026-23518 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →