Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit e066877d516e · 2026-02-26T19:55:27.000Z
GHSA-2v6m-6xw3-6467 GHSA-r5mx-6wc6-7h9w
diff --git a/advisories/github-reviewed/2026/02/GHSA-2v6m-6xw3-6467/GHSA-2v6m-6xw3-6467.json b/advisories/github-reviewed/2026/02/GHSA-2v6m-6xw3-6467/GHSA-2v6m-6xw3-6467.json
@@ -0,0 +1,66 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2v6m-6xw3-6467",
+  "modified": "2026-02-26T19:53:30Z",
+  "published": "2026-02-26T19:53:30Z",
+  "aliases": [
+    "CVE-2026-27465"
+  ],
+  "summary": "Fleet: Sensitive Google Calendar credentials disclosed to low-privileged users",
+  "details": "### Summary\n\nA vulnerability in Fleet’s configuration API could expose Google Calendar service account credentials to authenticated users with low-privilege roles. This may allow unauthorized access to Google Calendar resources associated with the service account.\n\n### Impact\n\nFleet returns configuration data through an API endpoint that is accessible to authenticated users, including those with the lowest-privilege “Observer” role. In affected versions, Google Calendar service account credentials were not properly obfuscated before being returned.\n\nAs a result, a low-privilege user could retrieve the service account’s private key material. Depending on how the Google Calendar integration is configured, this could allow unauthorized access to calendar data or other Google Workspace resources associated with the service account.\n\nThis issue does not allow escalation of privileges within Fleet or access to device management functionality.\n\n### Patches\n\n- v4.80.1\n\n### Workarounds\n\nIf an immediate upgrade is not possible, administrators should remove the Google Calendar integration from Fleet and rotate the affected Google service account credentials.\n\n### For more information\n\nIf there are any questions or comments about this advisory:\n\nEmail Fleet at [security@fleetdm.com](mailto:security@fleetdm.com)  \nJoin #fleet in [osquery Slack](https://join.slack.com/t/osquery/shared_invite/zt-h29zm0gk-s2DBtGUTW4CFel0f0IjTEw)\n\n### Credits\n\nFleet thanks @secfox-ai for responsibly reporting this issue.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/fleetdm/fleet/v4"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "4.80.1"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/fleetdm/fleet/security/advisories/GHSA-2v6m-6xw3-6467"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27465"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/fleetdm/fleet/commit/23fc6804efe785f806f769d6be1f5f05b2e13ec2"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/fleetdm/fleet"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-200",
+      "CWE-201"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-02-26T19:53:30Z",
+    "nvd_published_at": "2026-02-26T03:16:04Z"
+  }
+}
diff --git a/advisories/github-reviewed/2026/02/GHSA-r5mx-6wc6-7h9w/GHSA-r5mx-6wc6-7h9w.json b/advisories/github-reviewed/2026/02/GHSA-r5mx-6wc6-7h9w/GHSA-r5mx-6wc6-7h9w.json
@@ -0,0 +1,72 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-r5mx-6wc6-7h9w",
+  "modified": "2026-02-26T19:54:34Z",
+  "published": "2026-02-26T19:54:34Z",
+  "aliases": [
+    "CVE-2026-27837"
+  ],
+  "summary": "dottie is vulnerable to Prototype Pollution bypass via non-first path segments in set() and transform()",
+  "details": "### Summary\n\ndottie versions 2.0.4 through 2.0.6 contain an incomplete fix for CVE-2023-26132. The prototype pollution guard introduced in commit `7d3aee1` only validates the first segment of a dot-separated path, allowing an attacker to bypass the protection by placing `__proto__` at any position other than the first.\n\nBoth `dottie.set()` and `dottie.transform()` are affected.\n\n### Details\n\nThe existing guard checks only `pieces[0] === '__proto__'`. When a path like `'a.__proto__.polluted'` is used, `pieces[0]` evaluates to `'a'`, not `'__proto__'`, so the guard is bypassed.\n\nInside the traversal loop, `current['__proto__'] = {}` triggers the `__proto__` setter, replacing the intermediate object's prototype. The final value is then written onto this new prototype.\n\n**Important distinction:** This vulnerability does NOT pollute the global `Object.prototype`. It injects properties into a specific object's prototype chain. However, injected properties are invisible to `hasOwnProperty()` and `Object.keys()`, which makes them difficult to detect and can lead to authorization bypass in common coding patterns.\n\n### PoC\n```javascript\nconst dottie = require('dottie');\n\n// set() bypass\nconst obj = {};\ndottie.set(obj, 'session.__proto__.isAdmin', true);\nconsole.log(obj.session.isAdmin);                    // true\nconsole.log(({}).isAdmin);                           // undefined\nconsole.log(obj.session.hasOwnProperty('isAdmin'));  // false\n\n// transform() bypass\nconst flat = { 'user.__proto__.role': 'admin', 'user.name': 'guest' };\nconst result = dottie.transform(flat);\nconsole.log(result.user.role);                       // 'admin'\nconsole.log(({}).role);                              // undefined\n```\n\nTested on Node.js v20 and v22, dottie 2.0.6, Windows 11.\n\n### Impact\n\nThe primary risk is authorization bypass. In a typical server-side scenario where dottie is used to process user input (e.g., via Sequelize, which depends on dottie with ~1.3M weekly npm downloads), an attacker can inject properties like `isAdmin: true` into objects used for access control decisions. Since the injected property is not an own property, standard checks using `hasOwnProperty()` or `Object.keys()` will not reveal it, while property access like `if (session.isAdmin)` will return `true`.\n\nAdditionally, replacing an object's prototype via `current['__proto__'] = {}` strips all inherited methods, potentially causing TypeError exceptions and denial of service.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "dottie"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "2.0.4"
+            },
+            {
+              "fixed": "2.0.7"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 2.0.6"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/mickhansen/dottie.js/security/advisories/GHSA-r5mx-6wc6-7h9w"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27837"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/mickhansen/dottie.js/commit/7e8fa1345a4b46325f0eab8d7aeb1c4deaefdb14"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/advisories/GHSA-4gxf-g5gf-22h4"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/mickhansen/dottie.js"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-1321"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-02-26T19:54:34Z",
+    "nvd_published_at": "2026-02-26T01:16:24Z"
+  }
+}
