{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/fleet/v4/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["fleet/v4"],"_cs_severities":["high"],"_cs_tags":["denial-of-service","grpc","fleet","github advisory"],"_cs_type":"advisory","_cs_vendors":["FleetDM"],"content_html":"\u003cp\u003eFleet server versions before 4.81.0 contain a denial-of-service vulnerability affecting the gRPC Launcher\u0026rsquo;s \u003ccode\u003ePublishLogs\u003c/code\u003e endpoint. This flaw allows an authenticated attacker, possessing a valid Launcher node key, to send a specially crafted gRPC request that the Fleet server fails to handle gracefully. The unexpected input within this request triggers a condition leading to the immediate termination of the Fleet server process, causing a complete denial of service. The vulnerability, assigned CVE-2026-26062, stems from inadequate input validation on the \u003ccode\u003ePublishLogs\u003c/code\u003e endpoint. Successful exploitation requires a valid Launcher node key, limiting the attack surface to compromised or malicious Launcher hosts enrolled within the Fleet management infrastructure.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains access to a valid Launcher node key, either through compromise of a Launcher host or insider threat.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious gRPC request specifically targeting the \u003ccode\u003ePublishLogs\u003c/code\u003e endpoint of the Fleet server.\u003c/li\u003e\n\u003cli\u003eThe malicious gRPC request contains unexpected or malformed input designed to trigger the vulnerability.\u003c/li\u003e\n\u003cli\u003eAttacker authenticates to the Fleet server using the compromised Launcher node key.\u003c/li\u003e\n\u003cli\u003eAttacker sends the crafted gRPC request to the \u003ccode\u003ePublishLogs\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe Fleet server receives the malicious request and attempts to process the malformed input.\u003c/li\u003e\n\u003cli\u003eDue to inadequate input validation, the server encounters an unhandled exception or error condition.\u003c/li\u003e\n\u003cli\u003eThe unhandled exception causes the Fleet server process to terminate unexpectedly, resulting in a denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability results in an immediate and complete denial of service, impacting the availability of Fleet server. This could disrupt endpoint monitoring, policy enforcement, and other critical security functions dependent on the Fleet platform. Although there is no exposure of sensitive data, authentication bypass, privilege escalation, or integrity impact, the disruption to operations can be significant, especially in environments relying heavily on Fleet for endpoint management and security visibility. The number of affected organizations depends on the prevalence of Fleet deployments and the attacker\u0026rsquo;s ability to compromise Launcher node keys.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Fleet server to version 4.81.0 or later to remediate the vulnerability (CVE-2026-26062).\u003c/li\u003e\n\u003cli\u003eRestrict network access to the Fleet gRPC endpoint (where feasible) to limit potential attack surfaces, as described in the advisory.\u003c/li\u003e\n\u003cli\u003eDeploy Fleet behind infrastructure that terminates or filters gRPC traffic if Launcher log ingestion is not required, mitigating the impact of malicious requests.\u003c/li\u003e\n\u003cli\u003eMonitor for repeated Fleet process crashes or unexpected restarts, indicating potential exploitation attempts, as suggested in the advisory.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;Detect Fleet Server Crashes\u0026rdquo; to identify potential exploitation attempts based on server crash events.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T13:18:43Z","date_published":"2026-05-14T13:18:43Z","id":"https://feed.craftedsignal.io/briefs/2026-05-fleet-grpc-dos/","summary":"Fleet server versions prior to 4.81.0 are vulnerable to a denial-of-service (DoS) via the gRPC Launcher `PublishLogs` endpoint, where unexpected input values can cause the server process to terminate upon receiving a crafted request from an authenticated Launcher host.","title":"Fleet Server gRPC PublishLogs Endpoint Denial-of-Service Vulnerability (CVE-2026-26062)","url":"https://feed.craftedsignal.io/briefs/2026-05-fleet-grpc-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Fleet/V4","version":"https://jsonfeed.org/version/1.1"}