Description
Fleet is open source device management software. Prior to 4.81.1, a broken access control vulnerability in Fleet's host transfer API allows a team maintainer to transfer hosts from any team into their own team, bypassing team isolation boundaries. Once transferred, the attacker gains full control over the stolen hosts, including the ability to execute scripts with root privileges. Version 4.81.1 patches the issue.
Published: 2026-03-27
Score: 4.9 Medium
EPSS: n/a
KEV: No
Impact: Escalated privilege and remote code execution on fleet-managed hosts
Action: Immediate Patch
AI Analysis

Impact

Fleet’s host transfer API contains a broken access control flaw that allows a user with team maintainer privileges to move any host from any team into their own team. After the transfer, the maintainer acquires full control of the host, including the ability to run scripts with root privileges. This violation of team isolation boundaries is a classic example of improper authorization (CWE‑862).

Affected Systems

The issue exists in Fleet versions prior to 4.81.1; upgrading to 4.81.1 or later resolves the vulnerability. The affected product is the Fleet device‑management platform developed by fleetdm.

Risk and Exploitability

The CVSS base score of 4.9 indicates moderate severity, but the potential impact is high because the attacker gains root access to any host they transfer. Exploitation requires only legitimate or compromised team‑maintainer credentials and the normal API usage surface; no additional network exposure is necessary. The EPSS score is unavailable, and the vulnerability is not listed in the CISA KEV catalog, implying limited public exploitation data but a substantial risk to organizations that rely on strict team isolation.

Generated by OpenCVE AI on March 27, 2026 at 19:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Fleet 4.81.1 or newer as soon as possible.

Generated by OpenCVE AI on March 27, 2026 at 19:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m2h6-4xpq-qw3m A Fleet team maintainer can transfer hosts from any team via missing source team authorization
History

Fri, 27 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
Description Fleet is open source device management software. Prior to 4.81.1, a broken access control vulnerability in Fleet's host transfer API allows a team maintainer to transfer hosts from any team into their own team, bypassing team isolation boundaries. Once transferred, the attacker gains full control over the stolen hosts, including the ability to execute scripts with root privileges. Version 4.81.1 patches the issue.
Title Fleet's team maintainer can transfer hosts from any team via missing source team authorization
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 4.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T18:27:15.576Z

Reserved: 2026-03-04T14:44:00.713Z

Link: CVE-2026-29180

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-27T19:16:42.567

Modified: 2026-03-27T19:16:42.567

Link: CVE-2026-29180

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T20:27:43Z

Weaknesses