x/vulndb: potential Go vuln in github.com/fleetdm/fleet/v4: GHSA-3458-r943-hmx4 #4888
Description
Advisory GHSA-3458-r943-hmx4 references a vulnerability in the following Go modules:
| Module |
|---|
| github.com/fleetdm/fleet/v2 |
| github.com/fleetdm/fleet/v3 |
| github.com/fleetdm/fleet/v4 |
Description:
Summary
A vulnerability in Fleet’s password management logic could allow previously issued password reset tokens to remain valid after a user changes their password. As a result, a stale password reset token could be reused to reset the account password even after a defensive password change.
Impact
If an attacker had prior access to a valid password reset token, they could reuse that token within its validity window to reset the user’s password after the user has already changed it. This could result in temporary account takeover.
Exploitation requires prior compromise of a pa...
References:
- ADVISORY: GHSA-3458-r943-hmx4
- ADVISORY: GHSA-3458-r943-hmx4
Cross references:
- github.com/fleetdm/fleet/v4 appears in 11 other report(s):
- data/excluded/GO-2022-0594.yaml (x/vulndb: potential Go vuln in github.com/fleetdm/fleet/v4: GHSA-ch68-7cf4-35vr #594) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0766.yaml (x/vulndb: potential Go vuln in github.com/fleetdm/fleet/v4: GHSA-w3wf-cfx3-6gcx #766) DEPENDENT_VULNERABILITY
- data/reports/GO-2025-3505.yaml (x/vulndb: potential Go vuln in github.com/fleetdm/fleet/v4: GHSA-52jx-g6m5-h735 #3505)
- data/reports/GO-2026-4334.yaml (x/vulndb: potential Go vuln in github.com/fleetdm/fleet/v4: GHSA-4r5r-ccr6-q6f6 #4334)
- data/reports/GO-2026-4335.yaml (x/vulndb: potential Go vuln in github.com/fleetdm/fleet: GHSA-63m5-974w-448v #4335)
- data/reports/GO-2026-4336.yaml (x/vulndb: potential Go vuln in github.com/fleetdm/fleet/v4: GHSA-gfpw-jgvr-cw4j #4336)
- data/reports/GO-2026-4557.yaml (x/vulndb: potential Go vuln in github.com/fleetdm/fleet/v4: GHSA-49xw-vfc4-7p43 #4557)
- data/reports/GO-2026-4560.yaml (x/vulndb: potential Go vuln in github.com/fleetdm/fleet/v4: GHSA-2v6m-6xw3-6467 #4560)
- data/reports/GO-2026-4561.yaml (x/vulndb: potential Go vuln in github.com/fleetdm/fleet/v4: GHSA-5jvp-m9h4-253h #4561)
- data/reports/GO-2026-4563.yaml (x/vulndb: potential Go vuln in github.com/fleetdm/fleet/v4: GHSA-9pm7-6g36-6j78 #4563)
- data/reports/GO-2026-4564.yaml (x/vulndb: potential Go vuln in github.com/fleetdm/fleet/v4: GHSA-ppwx-5jq7-px2w #4564)
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: github.com/fleetdm/fleet/v2
- module: github.com/fleetdm/fleet/v3
- module: github.com/fleetdm/fleet/v4
non_go_versions:
- fixed: 4.43.5-0.20260113202849-bbc1aef2987d
summary: 'Fleet: Password reset tokens remain valid after password change for 24 hours in github.com/fleetdm/fleet'
cves:
- CVE-2026-26060
ghsas:
- GHSA-3458-r943-hmx4
references:
- advisory: https://github.com/advisories/GHSA-3458-r943-hmx4
- advisory: https://github.com/fleetdm/fleet/security/advisories/GHSA-3458-r943-hmx4
notes:
- fix: 'github.com/fleetdm/fleet/v4: could not add vulnerable_at: no fix, but could not find latest version from proxy: HTTP GET /github.com/fleetdm/fleet/v4/@latest returned status 404 Not Found'
- fix: 'github.com/fleetdm/fleet/v2: could not add vulnerable_at: no fix, but could not find latest version from proxy: unexpected end of JSON input'
- fix: 'github.com/fleetdm/fleet/v3: could not add vulnerable_at: no fix, but could not find latest version from proxy: unexpected end of JSON input'
source:
id: GHSA-3458-r943-hmx4
created: 2026-03-27T19:05:04.623796083Z
review_status: UNREVIEWED