Auth bypass in Fleetdm Fleet

CVE-2026-29180

Fleet is open source device management software. Prior to 4.81.1, a broken access control vulnerability in Fleet's host transfer API allows a team maintainer to transfer hosts from any team into their own team, bypassing team isolation bou…

Vulnerability class: Broken Access Control

EPSS: 0.000 (6.6th percentile) — read the EPSS interpretation.

Affected products

Fleetdm Fleet — versions < 4.81.1

Weakness classification (CWE)

CWE-862 — Missing Authorization

References

https://github.com/fleetdm/fleet/security/advisories/GHSA-m2h6-4xpq-qw3m (x_refsource_CONFIRM)