CVE-2026-29180
HIGHFleet's team maintainer can transfer hosts from any team via missing source team authorization
Title source: cnaDescription
Fleet is open source device management software. Prior to 4.81.1, a broken access control vulnerability in Fleet's host transfer API allows a team maintainer to transfer hosts from any team into their own team, bypassing team isolation boundaries. Once transferred, the attacker gains full control over the stolen hosts, including the ability to execute scripts with root privileges. Version 4.81.1 patches the issue.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/fleetdm/fleet/security/advisories/GHSA-m2h6-4xpq-qw3m
Scores
CVSS v3
8.8
EPSS
0.0032
EPSS Percentile
23.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-862
Status
published
Products (2)
fleetdm/fleet
< 4.81.1 (2 CPE variants)
fleetdm/fleet
0 - 4.81.1Go
Published
Mar 27, 2026
Tracked Since
Mar 29, 2026