CVE-2026-27465: Fleet: Sensitive Google Calendar credentials disclosed to low-privileged users

February 26, 2026

A vulnerability in Fleet’s configuration API could expose Google Calendar service account credentials to authenticated users with low-privilege roles. This may allow unauthorized access to Google Calendar resources associated with the service account.

References

github.com/advisories/GHSA-2v6m-6xw3-6467
github.com/fleetdm/fleet
github.com/fleetdm/fleet/commit/23fc6804efe785f806f769d6be1f5f05b2e13ec2
github.com/fleetdm/fleet/security/advisories/GHSA-2v6m-6xw3-6467
nvd.nist.gov/vuln/detail/CVE-2026-27465

Code Behaviors & Features

Detect and mitigate CVE-2026-27465 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →