CVE-2026-29180

Name of the Vulnerable Software and Affected Versions Fleet versions prior to 4.81.1

Description Fleet is open source device management software. A broken access control vulnerability exists in the host transfer API. A team maintainer can transfer hosts from any team into their own team, bypassing team isolation boundaries. Once transferred, the attacker gains full control over the stolen hosts, including the ability to execute scripts with root privileges. The host transfer endpoints verify write permission to the destination team but do not check permission over the source team. A bulk transfer variant allows stealing all matching hosts fleet-wide in a single request. Exploitation requires authentication as a team maintainer or team admin.

Recommendations Versions prior to 4.81.1 should be upgraded. Organizations concerned about exploitation should audit host transfer activity in Fleet logs for any unexpected team reassignments.