Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
Fleet is open source device management software. Prior to 4.81.1, a broken access control vulnerability in Fleet's host transfer API allows a team maintainer to transfer hosts from any team into their own team, bypassing team isolation boundaries. Once transferred, the attacker gains full control over the stolen hosts, including the ability to execute scripts with root privileges. Version 4.81.1 patches the issue.
AnalysisAI
Fleet device management software versions prior to 4.81.1 contain a broken access control vulnerability in the host transfer API that allows authenticated team maintainers to transfer hosts from any team into their own team, circumventing team isolation boundaries and gaining full control over stolen hosts including root-level script execution capabilities. The vulnerability requires authenticated access (PR:L in CVSS vector) but presents high integrity impact due to the ability to execute privileged commands on managed endpoints. No public exploit code or active exploitation has been confirmed at time of analysis.
Technical ContextAI
Fleet is an open source device management and endpoint visibility platform (cpe:2.3:a:fleetdm:fleet). The vulnerability exists in the host transfer API endpoint, which is intended to allow team maintainers to move hosts between teams within authorized boundaries. The root cause is classified as CWE-862 (Missing Authorization), indicating insufficient access control checks on the API operation. The flaw allows a team maintainer to invoke the transfer function without proper validation of whether the source team is within their authorization scope, enabling lateral privilege escalation from team isolation boundaries. Specifically, the API endpoint fails to verify that the calling user possesses authorization over the source team before permitting the host transfer operation, allowing maintainers to extract hosts from teams they do not manage.
RemediationAI
Upgrade Fleet to version 4.81.1 or later immediately to patch the broken access control vulnerability (see vendor advisory at https://github.com/fleetdm/fleet/security/advisories/GHSA-m2h6-4xpq-qw3m). Until patching is possible, implement network-based access controls to restrict API calls to the host transfer endpoint to only trusted administrative users, and audit recent host transfer logs to identify any unauthorized transfers between teams that may indicate exploitation. Additionally, review and validate team maintainer role assignments to minimize the number of users with the privilege required to invoke this API.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16746
GHSA-m2h6-4xpq-qw3m