SQL Injection Vulnerability in Fleet Device Management Software
CVE-2026-26186

5.1MEDIUM

Key Information:

Vendor: Fleetdm
Status: Fleet
Vendor: CVE Published:; 26 February 2026

What is CVE-2026-26186?

Fleet, the open-source device management software, is susceptible to a SQL injection vulnerability affecting versions prior to 4.80.1. This flaw enables authenticated users to manipulate SQL queries via the order_key query parameter due to improper handling of user input in SQL commands. Specifically, the unsafe application of goqu.I() during the construction of the ORDER BY clause allows malicious input to bypass identifier quoting, leading to execution of arbitrary SQL expressions. An attacker with access to the compromised endpoint could exploit this vulnerability to reveal sensitive database information through crafted SQL queries or cause performance degradation and potential denial of service. Although reliable data modification through this vector has not been evidenced, it remains crucial for users to upgrade to version 4.80.1 or later. In the interim, restricting access to the affected endpoint and implementing strict input validation measures are recommended to mitigate risks.

Affected Version(s)

fleet < 4.80.1

References

https://github.com/fleetdm/fleet/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 26, 2026
Vulnerability Reserved
Feb 11, 2026

CVE-2026-26186 Data

JSON

Fleetdm

What is CVE-2026-26186?

Affected Version(s)

References

CVSS V4

Timeline