CVE-2026-26186: Fleet has an SQL Injection vulnerability via backtick escape in ORDER BY parameter

February 26, 2026

A SQL Injection vulnerability in Fleet’s software versions API allowed authenticated users to inject arbitrary SQL expressions via the order_key query parameter. Due to unsafe use of goqu.I() when constructing the ORDER BY clause, specially crafted input could escape identifier quoting and be interpreted as executable SQL.

References

github.com/advisories/GHSA-49xw-vfc4-7p43
github.com/fleetdm/fleet
github.com/fleetdm/fleet/releases/tag/fleet-v4.80.1
github.com/fleetdm/fleet/security/advisories/GHSA-49xw-vfc4-7p43
nvd.nist.gov/vuln/detail/CVE-2026-26186

Code Behaviors & Features

Detect and mitigate CVE-2026-26186 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →