CVE-2026-26988
SQL Injection in LibreNMS ajax_table.php Enables Data Access
Publication date: 2026-02-20
Last updated on: 2026-02-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| librenms | librenms | to 26.2.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-26988 is a high-severity SQL Injection vulnerability found in the ajax_table.php endpoint of LibreNMS versions 25.12.0 and below.'}, {'type': 'paragraph', 'content': "The vulnerability occurs in the IPv6 address search functionality when the 'search_type' parameter is set to 'ipv6'. The application splits the user-supplied 'address' parameter into two parts: an address and a prefix. The prefix portion is then directly concatenated into the SQL query string without any sanitization or parameterization."}, {'type': 'paragraph', 'content': 'This improper handling allows an attacker to inject arbitrary SQL commands by including malicious characters such as single quotes in the prefix input, which can manipulate the SQL query structure.'}, {'type': 'paragraph', 'content': 'Unlike the IPv4 search, which uses prepared statements, the IPv6 search block fails to neutralize special SQL elements, leading to this SQL Injection vulnerability.'}] [1]
How can this vulnerability impact me? :
This vulnerability allows an attacker to execute arbitrary SQL commands on the LibreNMS database.
As a result, an attacker could gain unauthorized access to sensitive data or manipulate the database, potentially compromising the integrity and confidentiality of the monitored network information.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the ajax_table.php endpoint of LibreNMS for SQL injection in the IPv6 address search functionality. Specifically, you can send crafted HTTP POST requests with the parameter search_type set to ipv6 and the address parameter containing malicious input designed to break the SQL query.'}, {'type': 'paragraph', 'content': 'An example command using curl to test for this vulnerability is:'}, {'type': 'list_item', 'content': 'curl -X POST -d "search_type=ipv6&address=snow/1nd\'" http://<librenms-server>/ajax_table.php'}, {'type': 'paragraph', 'content': 'If the server responds with an SQL error or unexpected behavior, it indicates the presence of the SQL injection vulnerability.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade LibreNMS to version 26.2.0 or later, where this SQL injection vulnerability has been fixed.
Until the upgrade can be performed, restrict access to the ajax_table.php endpoint to trusted users only, and consider applying web application firewall (WAF) rules to block suspicious input patterns targeting the address parameter with IPv6 prefix injections.