AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-2v6m-6xw3-6467: Fleet: Sensitive Google Calendar credentials disclosed to low-privileged users

highvulnerability

security

Source: GitHub Advisory DatabaseFebruary 26, 2026CVE-2026-27465

Summary

Fleet had a vulnerability where Google Calendar service account credentials (authentication information that grants access to Google Calendar) were visible to low-privilege users through an API endpoint (a way for programs to request data). This meant that even users with minimal permissions could retrieve sensitive private keys and potentially access calendar data or other Google services linked to that account.

Solution / Mitigation

Upgrade to Fleet v4.80.1. Alternatively, if an immediate upgrade is not possible, administrators should remove the Google Calendar integration from Fleet and rotate the affected Google service account credentials (create new authentication keys and disable the old ones).

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.0%

Classification

Attack SophisticationTrivial

Affected Packages

github.com/fleetdm/fleet/v4@< 4.80.1 (fixed: 4.80.1)

Original source: https://github.com/advisories/GHSA-2v6m-6xw3-6467

First tracked: February 26, 2026 at 03:00 PM

Classified by LLM (prompt v3) · confidence: 95%