CVE-2026-26186

Name of the Vulnerable Software and Affected Versions Fleet versions prior to 4.80.1

Description Fleet is open source device management software. A SQL injection issue exists due to unsafe use of goqu.I() when constructing the ORDER BY clause. This allows authenticated users to inject arbitrary SQL expressions via the order key query parameter. An authenticated attacker with access to the affected endpoint could inject SQL expressions into the underlying MySQL query. Although the injection occurs in an ORDER BY context, it is sufficient to enable blind SQL injection techniques that can disclose database information through conditional expressions that affect result ordering. Crafted expressions may also cause excessive computation or query failures, potentially leading to degraded performance or denial of service. The vulnerable parameter is order key.

Recommendations Upgrade to Fleet version 4.80.1 or later. If an immediate upgrade is not possible, restrict access to the affected endpoint to trusted roles only. Ensure that any user-supplied sort or column parameters are strictly allow-listed at the application or proxy layer.