VDB
CVE-2026-29180
CVE-2026-29180
PUBLISHED
CVSS 4.900000095367432 MEDIUM
Fleet is open source device management software. Prior to 4.81.1, a broken access control vulnerability in Fleet's host transfer API allows a team maintainer to transfer hosts from any team into their own team, bypassing team isolation boundaries. Once transferred, the attacker gains full control over the stolen hosts, including the ability to execute scripts with root privileges. Version 4.81.1 patches the issue.
EPSS 0.02% · 6.6th percentile
Risk Scores
CVSS 4.0
4.900000095367432
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
EPSS Score
0.02%
6.6th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| fleetdm | fleet | *, < 4.81.1, * |
| github.com | fleetdm/fleet/v4 | 0, 0, 0 |
Exploit Intelligence
- CIRCL seen: CVE-2026-29180 (circl-sighting)
- https://github.com/fleetdm/fleet/security/advisories/GHSA-m2h6-4xpq-qw3m (circl)
Timeline
- Mar 27, 2026 CVE Published
- Mar 27, 2026 Coalition ESS Score
- Mar 28, 2026 Security Advisory
- Mar 31, 2026 PoC Published
- May 18, 2026 EPSS Score
- May 19, 2026 EPSS Score
- May 20, 2026 EPSS Score
- May 21, 2026 EPSS Score
- May 22, 2026 EPSS Score
- May 23, 2026 EPSS Score
- May 24, 2026 EPSS Score
- May 25, 2026 EPSS Score