CVE-2026-23999: Fleet: Device lock PIN can be predicted if lock time is known

February 26, 2026

Fleet generated device lock and wipe PINs using a predictable algorithm based solely on the current Unix timestamp. Because no secret key or additional entropy was used, the resulting PIN could potentially be derived if the approximate time the device was locked is known.

References

github.com/advisories/GHSA-ppwx-5jq7-px2w
github.com/fleetdm/fleet
github.com/fleetdm/fleet/commit/05ca0693621e6671fb95dfc5437b9f9ee6dd7047
github.com/fleetdm/fleet/security/advisories/GHSA-ppwx-5jq7-px2w
nvd.nist.gov/vuln/detail/CVE-2026-23999

Code Behaviors & Features

Detect and mitigate CVE-2026-23999 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →