x/vulndb: potential Go vuln in github.com/fleetdm/fleet/v4: GHSA-m2h6-4xpq-qw3m #4892
Description
Advisory GHSA-m2h6-4xpq-qw3m references a vulnerability in the following Go modules:
| Module |
|---|
| github.com/fleetdm/fleet/v2 |
| github.com/fleetdm/fleet/v3 |
| github.com/fleetdm/fleet/v4 |
Description:
Summary
A broken access control vulnerability in Fleet's host transfer API allows a team maintainer to transfer hosts from any team into their own team, bypassing team isolation boundaries. Once transferred, the attacker gains full control over the stolen hosts, including the ability to execute scripts with root privileges.
Impact
The host transfer endpoints verify that the caller has write permission to the destination team but do not check whether the caller has any permission over the source team of the hosts being transferred.
Once hosts are transferred, the attacker's team MDM...
References:
- ADVISORY: GHSA-m2h6-4xpq-qw3m
- ADVISORY: GHSA-m2h6-4xpq-qw3m
- WEB: https://github.com/fleetdm/fleet/releases/tag/fleet-v4.81.1
Cross references:
- github.com/fleetdm/fleet/v4 appears in 11 other report(s):
- data/excluded/GO-2022-0594.yaml (x/vulndb: potential Go vuln in github.com/fleetdm/fleet/v4: GHSA-ch68-7cf4-35vr #594) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0766.yaml (x/vulndb: potential Go vuln in github.com/fleetdm/fleet/v4: GHSA-w3wf-cfx3-6gcx #766) DEPENDENT_VULNERABILITY
- data/reports/GO-2025-3505.yaml (x/vulndb: potential Go vuln in github.com/fleetdm/fleet/v4: GHSA-52jx-g6m5-h735 #3505)
- data/reports/GO-2026-4334.yaml (x/vulndb: potential Go vuln in github.com/fleetdm/fleet/v4: GHSA-4r5r-ccr6-q6f6 #4334)
- data/reports/GO-2026-4335.yaml (x/vulndb: potential Go vuln in github.com/fleetdm/fleet: GHSA-63m5-974w-448v #4335)
- data/reports/GO-2026-4336.yaml (x/vulndb: potential Go vuln in github.com/fleetdm/fleet/v4: GHSA-gfpw-jgvr-cw4j #4336)
- data/reports/GO-2026-4557.yaml (x/vulndb: potential Go vuln in github.com/fleetdm/fleet/v4: GHSA-49xw-vfc4-7p43 #4557)
- data/reports/GO-2026-4560.yaml (x/vulndb: potential Go vuln in github.com/fleetdm/fleet/v4: GHSA-2v6m-6xw3-6467 #4560)
- data/reports/GO-2026-4561.yaml (x/vulndb: potential Go vuln in github.com/fleetdm/fleet/v4: GHSA-5jvp-m9h4-253h #4561)
- data/reports/GO-2026-4563.yaml (x/vulndb: potential Go vuln in github.com/fleetdm/fleet/v4: GHSA-9pm7-6g36-6j78 #4563)
- data/reports/GO-2026-4564.yaml (x/vulndb: potential Go vuln in github.com/fleetdm/fleet/v4: GHSA-ppwx-5jq7-px2w #4564)
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: github.com/fleetdm/fleet/v2
- module: github.com/fleetdm/fleet/v3
- module: github.com/fleetdm/fleet/v4
versions:
- fixed: 4.81.1
vulnerable_at: 4.81.0
summary: |-
A Fleet team maintainer can transfer hosts from any team via missing source team
authorization in github.com/fleetdm/fleet
cves:
- CVE-2026-29180
ghsas:
- GHSA-m2h6-4xpq-qw3m
references:
- advisory: https://github.com/advisories/GHSA-m2h6-4xpq-qw3m
- advisory: https://github.com/fleetdm/fleet/security/advisories/GHSA-m2h6-4xpq-qw3m
- web: https://github.com/fleetdm/fleet/releases/tag/fleet-v4.81.1
notes:
- fix: 'github.com/fleetdm/fleet/v2: could not add vulnerable_at: no fix, but could not find latest version from proxy: unexpected end of JSON input'
- fix: 'github.com/fleetdm/fleet/v3: could not add vulnerable_at: no fix, but could not find latest version from proxy: unexpected end of JSON input'
source:
id: GHSA-m2h6-4xpq-qw3m
created: 2026-03-27T21:02:47.979106218Z
review_status: UNREVIEWED