Skip to main content

Suse EUVDEUVD-2026-16746

| CVE-2026-29180 MEDIUM
Missing Authorization (CWE-862)
2026-03-27 GitHub_M GHSA-m2h6-4xpq-qw3m
4.9
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 27, 2026 - 19:00 euvd
EUVD-2026-16746
Analysis Generated
Mar 27, 2026 - 19:00 vuln.today
CVE Published
Mar 27, 2026 - 18:27 nvd
MEDIUM 4.9

DescriptionGitHub Advisory

Fleet is open source device management software. Prior to 4.81.1, a broken access control vulnerability in Fleet's host transfer API allows a team maintainer to transfer hosts from any team into their own team, bypassing team isolation boundaries. Once transferred, the attacker gains full control over the stolen hosts, including the ability to execute scripts with root privileges. Version 4.81.1 patches the issue.

AnalysisAI

Fleet device management software versions prior to 4.81.1 contain a broken access control vulnerability in the host transfer API that allows authenticated team maintainers to transfer hosts from any team into their own team, circumventing team isolation boundaries and gaining full control over stolen hosts including root-level script execution capabilities. The vulnerability requires authenticated access (PR:L in CVSS vector) but presents high integrity impact due to the ability to execute privileged commands on managed endpoints. No public exploit code or active exploitation has been confirmed at time of analysis.

Technical ContextAI

Fleet is an open source device management and endpoint visibility platform (cpe:2.3:a:fleetdm:fleet). The vulnerability exists in the host transfer API endpoint, which is intended to allow team maintainers to move hosts between teams within authorized boundaries. The root cause is classified as CWE-862 (Missing Authorization), indicating insufficient access control checks on the API operation. The flaw allows a team maintainer to invoke the transfer function without proper validation of whether the source team is within their authorization scope, enabling lateral privilege escalation from team isolation boundaries. Specifically, the API endpoint fails to verify that the calling user possesses authorization over the source team before permitting the host transfer operation, allowing maintainers to extract hosts from teams they do not manage.

RemediationAI

Upgrade Fleet to version 4.81.1 or later immediately to patch the broken access control vulnerability (see vendor advisory at https://github.com/fleetdm/fleet/security/advisories/GHSA-m2h6-4xpq-qw3m). Until patching is possible, implement network-based access controls to restrict API calls to the host transfer endpoint to only trusted administrative users, and audit recent host transfer logs to identify any unauthorized transfers between teams that may indicate exploitation. Additionally, review and validate team maintainer role assignments to minimize the number of users with the privilege required to invoke this API.

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Leap 15.6 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6 Fixed
openSUSE Leap 15.5 Fixed

Share

EUVD-2026-16746 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy