CVE-2026-29180: A Fleet team maintainer can transfer hosts from any team via missing source team authorization

March 27, 2026

A broken access control vulnerability in Fleet’s host transfer API allows a team maintainer to transfer hosts from any team into their own team, bypassing team isolation boundaries. Once transferred, the attacker gains full control over the stolen hosts, including the ability to execute scripts with root privileges.

References

github.com/advisories/GHSA-m2h6-4xpq-qw3m
github.com/fleetdm/fleet
github.com/fleetdm/fleet/releases/tag/fleet-v4.81.1
github.com/fleetdm/fleet/security/advisories/GHSA-m2h6-4xpq-qw3m
nvd.nist.gov/vuln/detail/CVE-2026-29180

Code Behaviors & Features

Detect and mitigate CVE-2026-29180 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →