AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-ppwx-5jq7-px2w: Fleet: Device lock PIN can be predicted if lock time is known

mediumvulnerability

security

Source: GitHub Advisory DatabaseFebruary 26, 2026CVE-2026-23999

Summary

Fleet's device lock and wipe PINs were generated using only the current Unix timestamp (the number of seconds since January 1, 1970) without any secret key or random data, making them predictable if an attacker knew approximately when the device was locked. An attacker with physical access to a locked device could theoretically guess the correct 6-digit PIN by trying nearby timestamps, though this would require multiple days of attempts and is limited by the operating system's rate limiting on failed PIN entries.

Solution / Mitigation

Customers should upgrade to a patched version. There are no known workarounds for this issue.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.0%

Classification

Attack SophisticationModerate

Affected Vendors

Affected Packages

github.com/fleetdm/fleet/v4@< 4.80.1 (fixed: 4.80.1)

Original source: https://github.com/advisories/GHSA-ppwx-5jq7-px2w

First tracked: February 26, 2026 at 03:00 PM

Classified by LLM (prompt v3) · confidence: 95%