Fleet is an open source device management platform used to manage and monitor hosts across teams within an organization. CVE-2026-29180 is a broken access control vulnerability classified under CWE-862, which arises from insufficient authorization checks in Fleet's host transfer API. Specifically, prior to version 4.81.1, a user with team maintainer privileges can transfer hosts from any team into their own team without proper authorization validation. This bypasses the intended team isolation boundaries designed to segregate hosts between different teams. Once a host is transferred, the attacker gains full administrative control over it, including the ability to execute arbitrary scripts with root privileges. This capability can lead to complete compromise of the affected hosts and potentially enable lateral movement or further escalation within the environment. The vulnerability has a CVSS 4.0 base score of 4.9, reflecting medium severity due to the requirement of team maintainer privileges (limited scope) but no additional authentication or user interaction. The flaw was publicly disclosed on March 27, 2026, and patched in Fleet version 4.81.1. No known exploits have been reported in the wild, but the impact of exploitation could be significant in environments relying on Fleet for host management and security enforcement.

The primary impact of this vulnerability is unauthorized host takeover within organizations using Fleet device management software. An attacker with team maintainer privileges can bypass team isolation and transfer hosts from other teams, gaining root-level control over those hosts. This undermines the confidentiality, integrity, and availability of the affected systems. Compromise of hosts can lead to data theft, deployment of malware, disruption of operations, and lateral movement across the network. Organizations with segmented teams relying on Fleet for host management lose the security boundary between teams, increasing risk of insider threats or privilege abuse. The vulnerability could also facilitate supply chain or insider attacks if attackers leverage compromised team maintainer accounts. While exploitation requires some level of privilege, the lack of additional authentication or user interaction lowers the barrier for attackers already inside the environment. Overall, the vulnerability poses a moderate risk to organizations that have not updated to the patched version, especially those with complex team structures and critical infrastructure managed by Fleet.

1. Upgrade Fleet to version 4.81.1 or later immediately to apply the official patch that fixes the broken access control in the host transfer API. 2. Review and restrict team maintainer privileges to only trusted personnel, minimizing the number of users who can perform host transfers. 3. Implement strong monitoring and alerting on host transfer activities within Fleet to detect unusual or unauthorized transfers promptly. 4. Conduct regular audits of team memberships and host assignments to identify and remediate any unauthorized changes. 5. Enforce the principle of least privilege for all Fleet users and integrate Fleet access controls with centralized identity and access management solutions. 6. Consider network segmentation and host-based controls to limit the impact of compromised hosts even if transferred. 7. Educate administrators about the risks of privilege abuse and ensure secure credential management to prevent account compromise. 8. If upgrading immediately is not feasible, temporarily disable or restrict the host transfer API usage via configuration or firewall rules where possible.