CVE-2026-26990
Time-Based Blind SQL Injection in LibreNMS Address Search
Publication date: 2026-02-20
Last updated on: 2026-02-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| librenms | librenms | to 26.2.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-26990 is a time-based blind SQL injection vulnerability found in LibreNMS versions 25.12.0 and below. It exists in the file address-search.inc.php, specifically in the handling of the address parameter. When an authenticated user supplies a specially crafted subnet prefix as part of this parameter, the prefix value is concatenated directly into an SQL query without proper sanitization or parameter binding.'}, {'type': 'paragraph', 'content': "This unsafe concatenation allows an attacker to manipulate the SQL query logic and infer sensitive database information by measuring response times, exploiting MySQL's SLEEP() function to create conditional delays. The vulnerability requires only authentication and no special privileges beyond a standard user account."}] [2]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive database information, including database schema details, administrative usernames, and password hashes.
Attackers can exploit this flaw to escalate privileges by cracking password hashes and gaining administrative access to the LibreNMS system.
The vulnerability has a high severity rating with a CVSS v3.1 base score of 8.8, indicating it can significantly impact confidentiality, integrity, and availability of the affected system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by observing unusual response delays when authenticated users perform address searches in LibreNMS, specifically when supplying crafted subnet prefixes in the address parameter to the /ajax_table.php endpoint.'}, {'type': 'paragraph', 'content': "Detection involves sending POST requests with manipulated address values that include SQL injection payloads designed to cause time delays (e.g., using MySQL's SLEEP() function). By measuring response times, an attacker or tester can infer the presence of the time-based blind SQL injection vulnerability."}, {'type': 'paragraph', 'content': 'A practical approach is to use a proof-of-concept script (such as the Python script referenced in Resource 2) that automates sending these crafted requests and measures response timing to confirm exploitation.'}, {'type': 'paragraph', 'content': 'Example command outline for testing (requires authentication):'}, {'type': 'list_item', 'content': 'Send a POST request to /ajax_table.php with the address parameter set to a value like \'127.0.0.1/aa\' appended with a SQL payload that triggers a delay, e.g., \'127.0.0.1/aa\' + "\' OR IF(SUBSTRING((SELECT CURRENT_USER()),1,1)=\'a\', SLEEP(5), 0)-- "'}, {'type': 'list_item', 'content': 'Measure the response time; a significant delay indicates the vulnerability.'}, {'type': 'paragraph', 'content': 'Note: This requires valid authentication credentials on the LibreNMS instance.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate and most effective mitigation is to upgrade LibreNMS to version 26.2.0 or later, where the vulnerability has been fixed by refactoring the address search backend and properly handling the address parameter to prevent SQL injection.
Until the upgrade can be performed, restrict access to the LibreNMS interface to trusted users only, as exploitation requires authentication.
Additionally, monitor and audit user activity for suspicious address search queries that may indicate attempted exploitation.
If possible, apply any available patches or backported fixes that address the unsafe concatenation of the address parameter in SQL queries.