CVE-2026-29180 Overview
Fleet is open source device management software used to manage and monitor devices across enterprise environments. A broken access control vulnerability exists in Fleet's host transfer API prior to version 4.81.1. This vulnerability allows a team maintainer to transfer hosts from any team into their own team, bypassing team isolation boundaries. Once transferred, the attacker gains full control over the stolen hosts, including the ability to execute scripts with root privileges.
Critical Impact
Attackers with team maintainer privileges can bypass team isolation boundaries to steal hosts from other teams and gain root-level script execution capabilities on those devices.
Affected Products
- FleetDM Fleet versions prior to 4.81.1
Discovery Timeline
- 2026-03-27 - CVE CVE-2026-29180 published to NVD
- 2026-03-31 - Last updated in NVD database
Technical Details for CVE-2026-29180
Vulnerability Analysis
This vulnerability is classified as CWE-862 (Missing Authorization), indicating that the affected host transfer API endpoint fails to properly verify whether the requesting user has authorization to transfer hosts from the source team. The flaw exists in the access control logic governing host transfers between teams within Fleet's multi-tenant architecture.
The vulnerability is exploitable over the network and requires low attack complexity, though the attacker must possess authenticated access as a team maintainer. The primary security impact is to integrity, as unauthorized host transfers violate the expected team isolation model and can lead to complete compromise of the transferred devices.
Root Cause
The root cause is a missing authorization check in Fleet's host transfer API. When processing host transfer requests, the API validates that the requesting user has maintainer privileges for the destination team but fails to verify whether they have any authorization over the source team from which hosts are being transferred. This oversight allows any team maintainer to effectively "steal" hosts from teams they have no legitimate access to.
Attack Vector
An authenticated attacker with team maintainer privileges can exploit this vulnerability through the following attack sequence:
- The attacker authenticates to Fleet with valid team maintainer credentials for their assigned team
- The attacker identifies host identifiers belonging to other teams (potentially through enumeration or information disclosure)
- The attacker crafts an API request to the host transfer endpoint, specifying target hosts from another team and their own team as the destination
- The vulnerable API processes the request without validating source team authorization
- The hosts are transferred to the attacker's team, granting them full management capabilities
- The attacker can now execute scripts with root privileges on the compromised hosts
The attack leverages the network-accessible API and requires only low-privilege authenticated access as a team maintainer. No user interaction is required, and the attacker can target any host across the Fleet deployment regardless of team boundaries.
Detection Methods for CVE-2026-29180
Indicators of Compromise
- Unexpected host transfers between teams, particularly hosts moving to teams where they don't logically belong
- API audit logs showing host transfer requests from users who are not maintainers of the source team
- Sudden changes in team membership for critical infrastructure hosts
- Script execution activity on hosts shortly after unexpected team transfers
Detection Strategies
- Implement audit logging for all host transfer API calls, capturing source team, destination team, and requesting user
- Alert on host transfers where the requesting user lacks maintainer privileges for the source team
- Monitor for patterns of hosts being transferred from multiple teams to a single team in a short timeframe
- Review Fleet audit logs for anomalous host transfer activity patterns
Monitoring Recommendations
- Enable comprehensive API request logging in Fleet deployments
- Configure alerts for any host transfer operations involving sensitive or production hosts
- Establish baseline metrics for normal host transfer activity and alert on deviations
- Integrate Fleet audit logs with SIEM solutions for centralized monitoring and correlation
How to Mitigate CVE-2026-29180
Immediate Actions Required
- Upgrade Fleet to version 4.81.1 or later immediately
- Review audit logs for any suspicious host transfer activity prior to patching
- Verify current team host assignments to ensure no unauthorized transfers have occurred
- Temporarily restrict team maintainer privileges to trusted personnel until patching is complete
Patch Information
FleetDM has released version 4.81.1 which patches this vulnerability by implementing proper authorization checks on the host transfer API. The patch ensures that users can only transfer hosts from teams where they have appropriate maintainer-level access. Organizations should update to this version as soon as possible. For additional details, refer to the GitHub Security Advisory.
Workarounds
- Restrict network access to Fleet's API endpoints using firewall rules or network segmentation
- Implement additional authentication requirements for host transfer operations at the network layer
- Temporarily disable or restrict the host transfer functionality if operationally feasible
- Reduce the number of users with team maintainer privileges to minimize the attack surface
- Monitor and alert on all host transfer API activity until the patch can be applied
# Verify Fleet version after upgrade
fleetctl version
# Expected output should show version 4.81.1 or higher
# Review recent host transfer activity (example query)
fleetctl get audit-logs --type host_transfer --since 2026-03-01
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
