CVE-2026-27465: Fleet's Open Secret: The Google Calendar Key Leak

Fleet's Open Secret: The Google Calendar Key Leak Vulnerability ID: CVE-2026-27465 CVSS Score: 4.3 Published: 2026-02-26 A deep dive into CVE-2026-27465, where Fleet Device Management inadvertently exposed Google Calendar Service Account private keys to low-privileged users via the application configuration API. This vulnerability highlights the dangers of implicit serialization in Go and the risks of treating configuration data as a 'catch-all' bucket. TL;DR Fleet versions prior to 4.80.1 return unmasked Google Service Account credentials in the global configuration API. Authenticated users, even those with the restricted 'Observer' role, can retrieve the full private key, allowing them to impersonate the service account in Google Cloud. Technical Details CWE : CWE-201 (Insertion of Sensitive Information Into Sent Data) CVSS v3.1 : 4.3 (Medium) Attack Vector : Network (Authenticated) Privileges Required : Low (Observer) Impact : Information Disclosure (High Confidentiality) Fixed Vers

CVE-2026-27465: Fleet's Open Secret: The Google Calendar Key Leak

Related Articles

13 Best MagSafe Wallets (2026), Tested IRL

I Fixed the Biggest Flaw in My Last Backtest. The Strategy Still Lost Money.

immich vs ente photos - the photo backup showdown

Why I Built My Own URL Shortener for WordPress (And Why the Existing Ones Didn’t Cut It)

One Way or Another, Most of Our Electricity Comes From Solar Power

Related Articles

News
13 Best MagSafe Wallets (2026), Tested IRL
Wired • 4d ago

News
I Fixed the Biggest Flaw in My Last Backtest. The Strategy Still Lost Money.
Medium Programming • 4d ago

News
immich vs ente photos - the photo backup showdown
Lobsters • 4d ago

News
Why I Built My Own URL Shortener for WordPress (And Why the Existing Ones Didn’t Cut It)
Medium Programming • 4d ago

News
One Way or Another, Most of Our Electricity Comes From Solar Power
Wired • 4d ago