AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-m2h6-4xpq-qw3m: A Fleet team maintainer can transfer hosts from any team via missing source team authorization

mediumvulnerability

security

Source: GitHub Advisory DatabaseMarch 27, 2026CVE-2026-29180

Summary

Fleet's host transfer API has a broken access control vulnerability (a flaw where permission checks don't work properly) that lets a team maintainer steal hosts from other teams by transferring them without authorization checks. Once stolen, the attacker can control the devices and run scripts with root privileges (the highest permission level), breaking team isolation in multi-tenant deployments (systems serving multiple separate organizations).

Solution / Mitigation

Upgrade to a patched version of Fleet. The source states: 'There is no workaround for this issue short of upgrading to a patched version.' As a precaution, organizations should audit host transfer activity in their Fleet logs for unexpected team reassignments.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.0%

Patch Available

Yes

Disclosure Date

March 27, 2026

Classification

Attack SophisticationModerate

Affected Vendors

Affected Packages

github.com/fleetdm/fleet/v4@< 4.81.1 (fixed: 4.81.1)

Monthly digest — independent AI security research

Original source: https://github.com/advisories/GHSA-m2h6-4xpq-qw3m

First tracked: March 28, 2026 at 02:00 AM

Classified by LLM (prompt v3) · confidence: 95%