diff --git a/.buildkite/pipeline.yml b/.buildkite/pipeline.yml
index 4421c2c73..3c00ab7d9 100644
--- a/.buildkite/pipeline.yml
+++ b/.buildkite/pipeline.yml
@@ -164,13 +164,14 @@ steps:
           - build/*.xml
           - build/coverage*.out
 
-      - label: ":smartbear-testexecute: Run unit tests with requirefips build tag and FIPS provider"
+      - label: ":smartbear-testexecute: Run fips140=on unit tests with FIPS provider and microsoft/go"
         key: unit-test-fips-tag
         command: ".buildkite/scripts/unit_test.sh"
         env:
           FIPS: "true"
           GOEXPERIMENT: "systemcrypto"
           GO_DISTRO: "microsoft"
+          GODEBUG: "fips140=on,tlsmlkem=0"
         agents:
           provider: "aws"
           imagePrefix: "${IMAGE_UBUNTU_X86_64_FIPS}"
@@ -179,7 +180,7 @@ steps:
           - build/*.xml
           - build/coverage*.out
 
-      - label: ":smartbear-testexecute: Run fips140=only unit tests with FIPS provider"
+      - label: ":smartbear-testexecute: Run fips140=only unit tests with FIPS provider and upstream go"
         key: unit-test-fips140-only
         command: ".buildkite/scripts/unit_test_fipsonly.sh"
         env:
diff --git a/.ci/bump-golang.yml b/.ci/bump-golang.yml
index 26edb062f..29946296f 100644
--- a/.ci/bump-golang.yml
+++ b/.ci/bump-golang.yml
@@ -79,15 +79,6 @@ targets:
       content: '{{ source "latestGoVersion" }}'
       file: .go-version
       matchpattern: '\d+.\d+.\d+'
-  update-golang.ci:
-    name: "Update .golangci.yml"
-    sourceid: latestGoVersion
-    scmid: githubConfig
-    kind: file
-    spec:
-      content: '{{ source "latestGoVersion" }}'
-      file: .golangci.yml
-      matchpattern: '\d+.\d+.\d+'
   update-gomod:
     name: "Update go.mod"
     sourceid: latestGoVersion
diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml
index 88adae0ff..1a2f97782 100644
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -39,7 +39,7 @@ jobs:
         uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9  # v8.0.0
         with:
           # Optional: version of golangci-lint to use in form of v1.2 or v1.2.3 or `latest` to use the latest version
-          version: v2.5.0
+          version: v2.11.4
 
           # Give the job more time to execute.
           # Regarding `--whole-files`, the linter is supposed to support linting of changed a patch only but,
diff --git a/.go-version b/.go-version
index 0e0c284d8..f2aec5196 100644
--- a/.go-version
+++ b/.go-version
@@ -1 +1 @@
-1.25.9
+1.26.2
\ No newline at end of file
diff --git a/.golangci.yml b/.golangci.yml
index b27be7e11..cfe658b31 100644
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -4,7 +4,6 @@ run:
   timeout: 1m
   build-tags:
     - integration
-  go: "1.25.9"
 
 issues:
   # Maximum count of issues with the same text.
diff --git a/changelog/fragments/1775752898-Update-go-to-v1.26.2.yaml b/changelog/fragments/1775752898-Update-go-to-v1.26.2.yaml
new file mode 100644
index 000000000..2b70dd1e6
--- /dev/null
+++ b/changelog/fragments/1775752898-Update-go-to-v1.26.2.yaml
@@ -0,0 +1,32 @@
+# Kind can be one of:
+# - breaking-change: a change to previously-documented behavior
+# - deprecation: functionality that is being removed in a later release
+# - bug-fix: fixes a problem in a previous version
+# - enhancement: extends functionality but does not break or fix existing behavior
+# - feature: new functionality
+# - known-issue: problems that we are aware of in a given version
+# - security: impacts on the security of a product or a user’s deployment.
+# - upgrade: important information for someone upgrading from a prior version
+# - other: does not fit into any of the other categories
+kind: enhancement
+
+# Change summary; a 80ish characters long description of the change.
+summary: Update go to v1.26.2
+
+# Long description; in case the summary is not enough to describe the change
+# this field accommodate a description without length limits.
+# NOTE: This field will be rendered only for breaking-change and known-issue kinds at the moment.
+#description:
+
+# Affected component; usually one of "elastic-agent", "fleet-server", "filebeat", "metricbeat", "auditbeat", "all", etc.
+component: fleet-server
+
+# PR URL; optional; the PR number that added the changeset.
+# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added.
+# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number.
+# Please provide it if you are adding a fragment for a different PR.
+#pr: https://github.com/owner/repo/1234
+
+# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of).
+# If not present is automatically filled by the tooling with the issue linked to the PR number.
+#issue: https://github.com/owner/repo/1234
diff --git a/dev-tools/go.mod b/dev-tools/go.mod
index 2a4798024..8b508fb98 100644
--- a/dev-tools/go.mod
+++ b/dev-tools/go.mod
@@ -1,6 +1,6 @@
 module github.com/elastic/fleet-server/dev-tools
 
-go 1.25.9
+go 1.26.2
 
 tool (
 	github.com/elastic/go-json-schema-generate/cmd/schema-generate
diff --git a/go.mod b/go.mod
index bccba0ee2..e447beb05 100644
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
 module github.com/elastic/fleet-server/v7
 
-go 1.25.9
+go 1.26.2
 
 require (
 	github.com/Pallinder/go-randomdata v1.2.0
diff --git a/internal/pkg/api/server_test.go b/internal/pkg/api/server_test.go
index 80767317b..5c21c3c29 100644
--- a/internal/pkg/api/server_test.go
+++ b/internal/pkg/api/server_test.go
@@ -161,7 +161,7 @@ func Test_server_ClientCert(t *testing.T) {
 			break
 		}
 
-		rCtx, rCancel := context.WithTimeout(ctx, time.Second)
+		rCtx, rCancel := context.WithTimeout(ctx, 5*time.Second)
 		defer rCancel()
 		req, err := http.NewRequestWithContext(rCtx, "GET", "https://"+addr+"/api/status", nil)
 		require.NoError(t, err)
@@ -233,7 +233,7 @@ func Test_server_ClientCert(t *testing.T) {
 			break
 		}
 
-		rCtx, rCancel := context.WithTimeout(ctx, time.Second)
+		rCtx, rCancel := context.WithTimeout(ctx, 5*time.Second)
 		defer rCancel()
 		req, err := http.NewRequestWithContext(rCtx, "GET", "https://"+addr+"/api/status", nil)
 		require.NoError(t, err)
@@ -306,7 +306,7 @@ func Test_server_ClientCert(t *testing.T) {
 			break
 		}
 
-		rCtx, rCancel := context.WithTimeout(ctx, time.Second)
+		rCtx, rCancel := context.WithTimeout(ctx, 5*time.Second)
 		defer rCancel()
 		req, err := http.NewRequestWithContext(rCtx, "GET", "https://"+addr+"/api/status", nil)
 		require.NoError(t, err)
@@ -388,7 +388,7 @@ key: %s`,
 			break
 		}
 
-		rCtx, rCancel := context.WithTimeout(ctx, time.Second)
+		rCtx, rCancel := context.WithTimeout(ctx, 5*time.Second)
 		defer rCancel()
 		req, err := http.NewRequestWithContext(rCtx, "GET", "https://"+addr+"/api/status", nil)
 		require.NoError(t, err)
diff --git a/internal/pkg/es/client_test.go b/internal/pkg/es/client_test.go
index b353ae970..94635c9f3 100644
--- a/internal/pkg/es/client_test.go
+++ b/internal/pkg/es/client_test.go
@@ -6,6 +6,7 @@ package es
 
 import (
 	"context"
+	"crypto/fips140"
 	"crypto/tls"
 	"crypto/x509"
 	_ "embed"
@@ -19,7 +20,6 @@ import (
 	"time"
 
 	"github.com/elastic/elastic-agent-libs/transport/tlscommon"
-	"github.com/elastic/fleet-server/v7/internal/pkg/build"
 	"github.com/elastic/fleet-server/v7/internal/pkg/config"
 	"github.com/elastic/fleet-server/v7/internal/pkg/testing/certs"
 	"github.com/stretchr/testify/require"
@@ -205,8 +205,13 @@ func TestConnectionTLS(t *testing.T) {
 
 	_, err = FetchESVersion(ctx, client)
 
-	if build.FIPSDistribution {
-		require.ErrorContains(t, err, "tls: internal error")
+	if fips140.Enforced() {
+		// When FIPS 140 is enforced (GODEBUG=fips140=only), Go's crypto
+		// stack rejects signing with a 1024-bit RSA key. Note: fips140=on
+		// with microsoft/go's systemcrypto backend silently falls back to
+		// stdlib in test binaries (via UnreachableExceptTests), so only
+		// fips140=only reliably enforces this.
+		require.Error(t, err)
 	} else {
 		require.NoError(t, err)
 	}
diff --git a/pkg/api/go.mod b/pkg/api/go.mod
index a500c0585..96954d04f 100644
--- a/pkg/api/go.mod
+++ b/pkg/api/go.mod
@@ -1,6 +1,6 @@
 module github.com/elastic/fleet-server/pkg/api
 
-go 1.25.7
+go 1.25.0
 
 require github.com/oapi-codegen/runtime v1.3.1
 
diff --git a/testing/go.mod b/testing/go.mod
index 36c3ec804..48ec8596e 100644
--- a/testing/go.mod
+++ b/testing/go.mod
@@ -1,6 +1,6 @@
 module github.com/elastic/fleet-server/testing
 
-go 1.25.9
+go 1.26.2
 
 replace (
 	github.com/elastic/fleet-server/pkg/api => ../pkg/api