CVE-2026-29180
Published: 27 March 2026
Summary
CVE-2026-29180 is a high-severity Missing Authorization (CWE-862) vulnerability in Fleetdm Fleet. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 16.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 enforces approved authorizations for logical access to information and system resources, directly addressing the improper permissions enforcement in Fleet's host transfer API that allows unauthorized cross-team host transfers.
AC-6 applies least privilege to restrict team maintainers to only their team's hosts, preventing exploitation that grants control over unauthorized hosts.
AC-24 mandates access control decisions for specific functions and resources like host transfers, ensuring checks against team isolation boundaries before authorization.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Broken access control in host transfer API allows low-privileged authenticated user to bypass team isolation and gain root-level control (including arbitrary script execution) over additional hosts, directly matching exploitation for privilege escalation.
NVD Description
Fleet is open source device management software. Prior to 4.81.1, a broken access control vulnerability in Fleet's host transfer API allows a team maintainer to transfer hosts from any team into their own team, bypassing team isolation boundaries. Once transferred,…
more
the attacker gains full control over the stolen hosts, including the ability to execute scripts with root privileges. Version 4.81.1 patches the issue.
Deeper analysisAI
CVE-2026-29180 is a broken access control vulnerability (CWE-862) in Fleet, an open source device management software. Prior to version 4.81.1, the host transfer API suffers from improper permissions enforcement, enabling unauthorized transfers of hosts across team isolation boundaries. The issue carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A team maintainer, requiring only low privileges (PR:L), can exploit this vulnerability remotely over the network (AV:N) with low complexity and no user interaction. By calling the affected API, the attacker transfers hosts from any other team into their own, bypassing isolation controls. This grants full control over the stolen hosts, including the ability to execute arbitrary scripts with root privileges, resulting in high confidentiality, integrity, and availability impacts.
Fleet version 4.81.1 addresses the vulnerability with a patch. Additional details are available in the security advisory at https://github.com/fleetdm/fleet/security/advisories/GHSA-m2h6-4xpq-qw3m.
Details
- CWE(s)