Description
Fleet is open source device management software. A SQL injection vulnerability in versions prior to 4.80.1 allowed authenticated users to inject arbitrary SQL expressions via the `order_key` query parameter. Due to unsafe use of `goqu.I()` when constructing the `ORDER BY` clause, specially crafted input could escape identifier quoting and be interpreted as executable SQL. An authenticated attacker with access to the affected endpoint could inject SQL expressions into the underlying MySQL query. Although the injection occurs in an `ORDER BY` context, it is sufficient to enable blind SQL injection techniques that can disclose database information through conditional expressions that affect result ordering. Crafted expressions may also cause excessive computation or query failures, potentially leading to degraded performance or denial of service. No direct evidence of reliable data modification or stacked query execution was demonstrated. Version 4.80.1 fixes the issue. If an immediate upgrade is not possible, users should restrict access to the affected endpoint to trusted roles only and ensure that any user-supplied sort or column parameters are strictly allow-listed at the application or proxy layer.
Published: 2026-02-26
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Potential data disclosure via blind SQL injection
Action: Patch Now
AI Analysis

Impact

An authenticated user can exploit a SQL injection flaw in the fleetdm/fleet software when specifying the order_key query parameter. The vulnerable code constructs an ORDER BY clause by escaping identifiers with backticks, but a specially crafted input can break out of the quoted identifier and inject arbitrary SQL expressions. Although the attack is limited to an ORDER BY context, it allows attackers to use blind techniques that modify the order of results to infer database contents. Crafted payloads may also induce expensive computations or cause query failures, degrading service availability. The flaw does not provide evidence of reliable data modification or stacked query execution but can still lead to confidential data leakage and potential denial of service.

Affected Systems

The affected product is Fleet, the open‑source device management platform, versions prior to 4.80.1. Version 4.80.1 contains a fix that closes the vulnerability.

Risk and Exploitability

The CVSS score of 5.1 reflects a moderate risk, and the EPSS score of less than 1% indicates a low probability of exploitation in the wild. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Attack requires authentication to a user with access to the endpoint that accepts the order_key parameter. The main impact is the potential for data disclosure via blind SQL injection, with a secondary risk of service degradation through excessive query processing.

Generated by OpenCVE AI on April 17, 2026 at 14:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Fleet to version 4.80.1 or later to remediate the injection flaw.
  • When an immediate upgrade is not feasible, restrict the affected API endpoint so that only trusted roles can access it.
  • Implement input validation or an allow‑list for all user‑supplied sort and column parameters at the application or proxy layer to eliminate untrusted values from the ORDER BY clause.

Generated by OpenCVE AI on April 17, 2026 at 14:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-49xw-vfc4-7p43 Fleet has an SQL Injection vulnerability via backtick escape in ORDER BY parameter
History

Mon, 02 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:fleetdm:fleet:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 26 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Fleetdm
Fleetdm fleet
Vendors & Products Fleetdm
Fleetdm fleet

Thu, 26 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Description Fleet is open source device management software. A SQL injection vulnerability in versions prior to 4.80.1 allowed authenticated users to inject arbitrary SQL expressions via the `order_key` query parameter. Due to unsafe use of `goqu.I()` when constructing the `ORDER BY` clause, specially crafted input could escape identifier quoting and be interpreted as executable SQL. An authenticated attacker with access to the affected endpoint could inject SQL expressions into the underlying MySQL query. Although the injection occurs in an `ORDER BY` context, it is sufficient to enable blind SQL injection techniques that can disclose database information through conditional expressions that affect result ordering. Crafted expressions may also cause excessive computation or query failures, potentially leading to degraded performance or denial of service. No direct evidence of reliable data modification or stacked query execution was demonstrated. Version 4.80.1 fixes the issue. If an immediate upgrade is not possible, users should restrict access to the affected endpoint to trusted roles only and ensure that any user-supplied sort or column parameters are strictly allow-listed at the application or proxy layer.
Title Fleet has a SQL injection via backtick escape in ORDER BY parameter
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Fleetdm Fleet
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T14:52:24.634Z

Reserved: 2026-02-11T19:56:24.812Z

Link: CVE-2026-26186

cve-icon Vulnrichment

Updated: 2026-02-26T14:52:17.944Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T00:16:23.450

Modified: 2026-03-02T15:45:35.070

Link: CVE-2026-26186

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:45:21Z

Weaknesses