Fleet Broken Access Control Vulnerability in Host Transfer API Allows Unauthorized Host Transfers

A broken access control vulnerability has been identified in Fleet's host transfer API, prior to version 4.81.1. This vulnerability allows a team maintainer to transfer hosts from any team into their own, bypassing team isolation boundaries. Once the hosts are transferred, the attacker gains full control over them, including the ability to execute scripts with root privileges. The vulnerability arises because the host transfer endpoints do not verify whether the caller has permission over the source team of the hosts being transferred, only that they have write permission to the destination team.

Impact

Exploitation of this vulnerability allows for unauthorized host transfers, breaking team isolation guarantees in multi-tenant Fleet deployments. Once transferred, the attacker's team MDM configuration is applied to the devices, and they can execute scripts with root privileges. A bulk transfer variant is also available, allowing the transfer of all matching hosts fleet-wide in a single request.

Remediation

Users are advised to upgrade to Fleet version 4.81.1 or later. Organizations concerned about potential exploitation should audit host transfer activity in their Fleet logs for any unexpected team reassignments.