CVE-2026-26001
SQL Injection in GLPI Inventory Plugin Allows Data Manipulation
Publication date: 2026-03-18
Last updated on: 2026-03-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| glpi-project | glpi_inventory | to 1.6.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The primary mitigation step is to upgrade the glpi-inventory-plugin to version 1.6.6 or later, where the SQL injection vulnerability has been fixed.'}, {'type': 'paragraph', 'content': "Until the upgrade can be applied, restrict access to the plugin's reporting features to only trusted users with necessary privileges to reduce the risk of exploitation."}, {'type': 'paragraph', 'content': 'Additionally, monitor logs for suspicious activity related to the dropdown_calendar report and consider applying network-level controls to limit access to the GLPI application.'}] [1]
Can you explain this vulnerability to me?
CVE-2026-26001 is a high-severity SQL injection vulnerability in the GLPI Inventory Plugin affecting versions up to and including 1.6.5. It occurs because the plugin fails to properly sanitize user input used in constructing SQL commands within reports, specifically the dropdown_calendar report.
This improper handling of input allows an attacker with adequate privileges to inject malicious SQL code, which can manipulate the SQL query logic and lead to unauthorized data access or modification.
How can this vulnerability impact me? :
This vulnerability can significantly impact data confidentiality by allowing attackers to access sensitive information without authorization.
It can also impact data integrity to a lesser extent, as attackers may be able to modify some data.
The vulnerability does not affect system availability.
Since the attack vector is network-based and requires only low privileges with no user interaction, it is relatively easy to exploit remotely by an attacker with some access rights.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability is an SQL injection in the dropdown_calendar report of the glpi-inventory-plugin for GLPI versions up to 1.6.5. Detection involves checking if the plugin version is vulnerable and monitoring for unusual or unauthorized SQL queries originating from report generation.'}, {'type': 'paragraph', 'content': 'Since the vulnerability requires some privileges and involves unsanitized user input in SQL queries, you can attempt to detect exploitation attempts by reviewing logs for suspicious SQL commands or errors related to the dropdown_calendar report.'}, {'type': 'paragraph', 'content': 'No specific detection commands are provided in the resources, but general approaches include:'}, {'type': 'list_item', 'content': 'Checking the installed version of the glpi-inventory-plugin to confirm if it is older than 1.6.6.'}, {'type': 'list_item', 'content': 'Reviewing database logs or GLPI application logs for unusual SQL errors or injection patterns related to report generation.'}, {'type': 'list_item', 'content': "Using network monitoring tools to detect anomalous SQL queries or unexpected traffic patterns targeting the plugin's report features."}] [1]