CVE-2026-26186
SQL Injection in Fleet Device Management via order_key Parameter
Publication date: 2026-02-26
Last updated on: 2026-03-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fleetdm | fleet | to 4.80.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-26186 is a SQL injection vulnerability in the Fleet open source device management software versions prior to 4.80.1. It occurs because the software unsafely uses the goqu.I() function when constructing the SQL ORDER BY clause, specifically with the order_key query parameter. This unsafe use allows an authenticated user to inject arbitrary SQL expressions that can escape identifier quoting and be executed as part of the SQL query.
Although the injection happens in an ORDER BY context, it enables blind SQL injection techniques that can leak database information by influencing the order of query results through conditional expressions. Crafted inputs may also cause excessive computation or query failures.
How can this vulnerability impact me? :
An attacker who is authenticated and has access to the affected endpoint can exploit this vulnerability to inject SQL code into the database queries. This can lead to disclosure of sensitive database information through blind SQL injection techniques.
Additionally, maliciously crafted inputs may cause excessive computation or query failures, which can degrade system performance or cause denial of service. However, there is no direct evidence that this vulnerability allows reliable data modification or execution of stacked queries.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, upgrade Fleet software to version 4.80.1 or later where the issue is fixed.
If an immediate upgrade is not possible, restrict access to the affected endpoint to trusted roles only.
Ensure that any user-supplied sort or column parameters are strictly allow-listed at the application or proxy layer to prevent injection.