x/vulndb: potential Go vuln in github.com/fleetdm/fleet/v4: GHSA-99hj-44vg-hfcp #4889
Description
Advisory GHSA-99hj-44vg-hfcp references a vulnerability in the following Go modules:
| Module |
|---|
| github.com/fleetdm/fleet/v2 |
| github.com/fleetdm/fleet/v3 |
| github.com/fleetdm/fleet/v4 |
Description:
Summary
Fleet contained multiple unauthenticated HTTP endpoints that read request bodies without enforcing a size limit. An unauthenticated attacker could exploit this behavior by sending large or repeated HTTP payloads, causing excessive memory allocation and resulting in a denial-of-service (DoS) condition.
Impact
An unauthenticated attacker could cause the Fleet server process to exhaust available memory and restart by sending oversized or repeated HTTP requests to affected endpoints.
This vulnerability impacts availability only. There is:
- No exposure of sensitive data
- ...
References:
- ADVISORY: GHSA-99hj-44vg-hfcp
- ADVISORY: GHSA-99hj-44vg-hfcp
Cross references:
- github.com/fleetdm/fleet/v4 appears in 11 other report(s):
- data/excluded/GO-2022-0594.yaml (x/vulndb: potential Go vuln in github.com/fleetdm/fleet/v4: GHSA-ch68-7cf4-35vr #594) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0766.yaml (x/vulndb: potential Go vuln in github.com/fleetdm/fleet/v4: GHSA-w3wf-cfx3-6gcx #766) DEPENDENT_VULNERABILITY
- data/reports/GO-2025-3505.yaml (x/vulndb: potential Go vuln in github.com/fleetdm/fleet/v4: GHSA-52jx-g6m5-h735 #3505)
- data/reports/GO-2026-4334.yaml (x/vulndb: potential Go vuln in github.com/fleetdm/fleet/v4: GHSA-4r5r-ccr6-q6f6 #4334)
- data/reports/GO-2026-4335.yaml (x/vulndb: potential Go vuln in github.com/fleetdm/fleet: GHSA-63m5-974w-448v #4335)
- data/reports/GO-2026-4336.yaml (x/vulndb: potential Go vuln in github.com/fleetdm/fleet/v4: GHSA-gfpw-jgvr-cw4j #4336)
- data/reports/GO-2026-4557.yaml (x/vulndb: potential Go vuln in github.com/fleetdm/fleet/v4: GHSA-49xw-vfc4-7p43 #4557)
- data/reports/GO-2026-4560.yaml (x/vulndb: potential Go vuln in github.com/fleetdm/fleet/v4: GHSA-2v6m-6xw3-6467 #4560)
- data/reports/GO-2026-4561.yaml (x/vulndb: potential Go vuln in github.com/fleetdm/fleet/v4: GHSA-5jvp-m9h4-253h #4561)
- data/reports/GO-2026-4563.yaml (x/vulndb: potential Go vuln in github.com/fleetdm/fleet/v4: GHSA-9pm7-6g36-6j78 #4563)
- data/reports/GO-2026-4564.yaml (x/vulndb: potential Go vuln in github.com/fleetdm/fleet/v4: GHSA-ppwx-5jq7-px2w #4564)
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: github.com/fleetdm/fleet/v2
- module: github.com/fleetdm/fleet/v3
- module: github.com/fleetdm/fleet/v4
non_go_versions:
- fixed: 4.43.5-0.20260113202849-bbc1aef2987d
summary: Fleet's unbounded request body read allows remote Denial of Service in github.com/fleetdm/fleet
cves:
- CVE-2026-26061
ghsas:
- GHSA-99hj-44vg-hfcp
references:
- advisory: https://github.com/advisories/GHSA-99hj-44vg-hfcp
- advisory: https://github.com/fleetdm/fleet/security/advisories/GHSA-99hj-44vg-hfcp
notes:
- fix: 'github.com/fleetdm/fleet/v4: could not add vulnerable_at: no fix, but could not find latest version from proxy: HTTP GET /github.com/fleetdm/fleet/v4/@latest returned status 404 Not Found'
- fix: 'github.com/fleetdm/fleet/v2: could not add vulnerable_at: no fix, but could not find latest version from proxy: unexpected end of JSON input'
- fix: 'github.com/fleetdm/fleet/v3: could not add vulnerable_at: no fix, but could not find latest version from proxy: unexpected end of JSON input'
source:
id: GHSA-99hj-44vg-hfcp
created: 2026-03-27T19:05:05.297106213Z
review_status: UNREVIEWED