Technologyglobal✓ verified · 90%

Fleet: Observer-level enrollment secret extraction via ORDER BY oracle on Apple MDM commands endpoint

Name: Fleet: Observer-level enrollment secret extraction via ORDER BY oracle on Apple MDM commands endpoint
Start: 2026-06-12T21:00:48Z
Location: Global (internet)

When: 2026-06-12 21:00 UTC
Where: Global (internet)
Category: cyber_advisory · go

### Summary A vulnerability in Fleet's Apple MDM commands listing endpoint allowed authenticated users with the lowest-privilege Observer role to extract sensitive values from joined database tables — including host enrollment secrets and Apple Push Notification Service (APNS) tokens — through a cursor-based binary search oracle. The endpoint accepted a user-supplied `order_key` parameter that was not validated against a column allowlist. ### Impact The `GET /api/v1/fleet/mdm/apple/commands` endpoint constructs its query using a deprecated helper that did not restrict which columns could appear in the `ORDER BY` clause. The underlying query joins the `hosts` and `nano_enrollments` tables, so any column on those tables could be supplied as `order_key`. An attacker with Observer credentials could then use the cursor-based pagination parameter (`after`) to binary-search the value of the chosen column one character at a time. The targeted values never appeared in the response body, but the presence or absence of results revealed each character. With extracted `node_key` or `orbit_node_key` values, an attacker could impersonate enrolled hosts to Fleet's osquery and Orbit endpoints, submit fabricated host data, and retrieve pending scripts and commands. The APNS values are exploitable only by a party that also possesses the organization's APNS certificate. Exploitation required authenticated Observer access and a Fleet deployment with Apple MDM enabled and at least one queued MDM command. Instances without Apple MDM configured were not affected. ### Workarounds If an immediate upgrade is not possible, administrators should: - Restrict the Observer role to fully trusted users until the patch is applied - Rotate `node_key` and `orbit_node_key` for any host suspected of exposure by re-enrolling the affected hosts ### For more information If there are any questions or comments about this advisory: Email Fleet at [security@fleetdm.com](mailto:security@fleetdm.com) Join #fleet in [osquery Slack](https://join.slack.com/t/osquery/shared_invite/zt-h29zm0gk-s2DBtGUTW4CFel0f0IjTEw) ### Credits Fleet thanks the Security Team at Palantir Technologies for responsibly reporting this issue.

Sources

GitHub Advisory Database ↗ · first seen 2026-06-12 21:00 UTC

Defaxon links out to the original reporting and never republishes article text.

Correlated events

Computed by the Defaxon correlation engine — linked by shared actors, co-location, and temporal proximity. Scored hypotheses, never causal claims.

No correlated events found in the current window. As more events arrive, connections form automatically.

← Back to the live map