Executive Summary

CVE-2026-29180 is a broken access control vulnerability in Fleet's host transfer API affecting versions prior to 4.81.1.

This flaw allows a team maintainer to transfer hosts from any source team into their own team without proper authorization checks on the source team.

The API only verifies write permission on the destination team but fails to confirm permissions on the source team, enabling attackers to bypass team isolation boundaries in multi-tenant Fleet deployments.

Once hosts are transferred, the attacker gains full control over the stolen devices, including the ability to execute scripts with root privileges, as the attacker's team Mobile Device Management (MDM) configuration is automatically applied.

A bulk transfer variant further enables stealing all matching hosts across the entire Fleet deployment in a single request.

Exploitation requires authentication as a team maintainer or team admin.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker with team maintainer or admin privileges to bypass team isolation boundaries and transfer hosts from any team into their own.

Once transferred, the attacker gains full control over the stolen hosts, including the ability to execute scripts with root privileges.

This can lead to unauthorized access and control over devices managed by Fleet, potentially compromising sensitive data and system integrity.

In multi-tenant environments, this breaks the expected separation between teams, increasing the risk of data leakage and unauthorized operations.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by auditing host transfer logs for any unauthorized team reassignments. Monitoring these logs helps identify if hosts have been transferred from one team to another without proper authorization, which indicates potential exploitation.

Since the vulnerability involves the host transfer API, reviewing API access logs or Fleet's internal logs for unusual or bulk host transfer requests by team maintainers or admins can also help detect exploitation attempts.

Specific commands are not provided in the available resources, but administrators should focus on querying Fleet's logs or database entries related to host transfers, filtering for transfers that do not align with expected team permissions.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and only effective mitigation step is to upgrade Fleet to version 4.81.1 or later, where this broken access control vulnerability in the host transfer API has been patched.

There are no workarounds available, so applying the update promptly is critical to prevent unauthorized host transfers and potential full control takeover of hosts.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows unauthorized transfer of hosts between teams, bypassing team isolation boundaries and granting attackers full control over stolen hosts, including root-level script execution.

Such unauthorized access and control over devices could lead to exposure or manipulation of sensitive data, which may violate data protection requirements under regulations like GDPR and HIPAA.

Organizations using affected versions of Fleet should upgrade to version 4.81.1 or later to mitigate this risk and audit host transfer logs to detect any unauthorized activity, helping maintain compliance with security and privacy standards.

Useful 0 Not Useful 0