Description
Fleet is open source device management software. Prior to 4.81.1, a broken access control vulnerability in Fleet's host transfer API allows a team maintainer to transfer hosts from any team into their own team, bypassing team isolation boundaries. Once transferred, the attacker gains full control over the stolen hosts, including the ability to execute scripts with root privileges. Version 4.81.1 patches the issue.
Published: 2026-03-27
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege escalation through unauthorized host transfer and full host control
Action: Apply Patch
AI Analysis

Impact

Broken access control in the host transfer API of Fleet open‑source device management allows a team maintainer to move hosts from any team into their own team, bypassing isolation boundaries. Once the host is transferred, the attacker gains full control, including executing scripts with root privileges, effectively enabling privilege escalation. The vulnerability is a classic missing authorization check, classified as CWE‑862.

Affected Systems

Installations of FleetDM Fleet before version 4.81.1 are affected. The software is available as open‑source, and any deployment of those legacy versions is susceptible. The impact applies across all teams within an organization that use Fleet to manage hosts.

Risk and Exploitability

The CVSS score of 4.9 indicates moderate severity, and the EPSS score is below 1 %, meaning that exploitation probability is currently low. The vulnerability is not listed in the CISA KEV catalog. An attacker must have a team maintainer role and must invoke the host transfer API; no authenticated privilege escalation beyond team boundaries is needed. If discovered, the API call can be easily scripted, so internal malicious users or compromised accounts could exploit it.

Generated by OpenCVE AI on March 31, 2026 at 20:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Fleet to version 4.81.1 or later.
  • If an upgrade is not immediately possible, restrict host transfer permissions to the appropriate teams and disable the transfer API for untrusted users.
  • Audit team member roles to ensure only trusted users have team maintainer privileges.
  • Monitor API logs for suspicious host transfer activity.

Generated by OpenCVE AI on March 31, 2026 at 20:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m2h6-4xpq-qw3m A Fleet team maintainer can transfer hosts from any team via missing source team authorization
History

Tue, 31 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:fleetdm:fleet:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Fleetdm
Fleetdm fleet
Vendors & Products Fleetdm
Fleetdm fleet

Fri, 27 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
Description Fleet is open source device management software. Prior to 4.81.1, a broken access control vulnerability in Fleet's host transfer API allows a team maintainer to transfer hosts from any team into their own team, bypassing team isolation boundaries. Once transferred, the attacker gains full control over the stolen hosts, including the ability to execute scripts with root privileges. Version 4.81.1 patches the issue.
Title Fleet's team maintainer can transfer hosts from any team via missing source team authorization
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 4.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Fleetdm Fleet
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T18:54:40.828Z

Reserved: 2026-03-04T14:44:00.713Z

Link: CVE-2026-29180

cve-icon Vulnrichment

Updated: 2026-03-31T18:50:47.784Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T19:16:42.567

Modified: 2026-03-31T18:50:35.127

Link: CVE-2026-29180

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:55:26Z

Weaknesses