Fleet is an open-source device management platform that prior to version 4.80.1 contained a SQL injection vulnerability identified as CVE-2026-26186. The vulnerability stems from unsafe use of the goqu.I() function when constructing the ORDER BY clause in SQL queries, specifically through the 'order_key' query parameter. This parameter is intended to specify sorting columns but is not properly sanitized, allowing authenticated users to inject specially crafted SQL expressions. These expressions can escape the intended identifier quoting, causing the database engine (MySQL) to interpret them as executable SQL code. Although the injection occurs in an ORDER BY context, it enables blind SQL injection techniques where attackers can infer database content by observing changes in query result ordering. Additionally, attackers may craft expressions that cause excessive computational load or query failures, potentially degrading system performance or causing denial of service. The vulnerability does not appear to allow direct data modification or execution of stacked queries. The issue was addressed and fixed in Fleet version 4.80.1. Until upgrading, users should restrict access to the vulnerable endpoint to trusted roles and enforce strict allow-lists on any user-supplied sorting or column parameters at the application or proxy level to prevent injection.

This vulnerability allows authenticated attackers to perform blind SQL injection attacks, potentially leading to unauthorized disclosure of sensitive database information such as device inventories, user data, or configuration details managed by Fleet. The ability to influence query ordering and cause excessive computation may also degrade system performance or cause denial of service, impacting availability. While direct data modification or remote code execution is not demonstrated, information disclosure can facilitate further attacks or reconnaissance. Organizations relying on Fleet for device management could face operational disruptions and data confidentiality risks. The impact is heightened in environments where multiple users have authenticated access but insufficient role restrictions, increasing the attack surface. Given Fleet's role in managing potentially large fleets of devices, exploitation could affect critical infrastructure or enterprise IT environments.

The primary mitigation is to upgrade Fleet to version 4.80.1 or later, where the vulnerability is fixed. If immediate upgrading is not feasible, organizations should restrict access to the affected endpoint strictly to trusted and minimal roles to reduce the risk of exploitation. Implement strict allow-lists for any user-supplied parameters used for sorting or column selection, validating inputs against known safe values at the application or proxy level. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious SQL injection patterns targeting the 'order_key' parameter. Regularly audit and monitor logs for unusual query patterns or errors indicative of injection attempts. Additionally, enforce the principle of least privilege for authenticated users to limit the potential impact of compromised accounts. Conduct security testing and code reviews focusing on SQL query construction to prevent similar injection flaws.