CVE-2026-26263
Received Received - Intake
Blind SQL Injection in GLPI Search Engine Allows Data Exposure

Publication date: 2026-04-06

Last updated on: 2026-04-07

Assigner: GitHub, Inc.

Description
GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, an unauthenticated time-based blind SQL injection exists in GLPI's Search engine. This vulnerability is fixed in 11.0.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-06
Last Modified
2026-04-07
Generated
2026-06-16
AI Q&A
2026-04-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-26263
EUVD
EUVD-2026-19248
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
glpi-project glpi From 11.0.0 (inc) to 11.0.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows an unauthenticated attacker to execute arbitrary SQL commands, potentially compromising the confidentiality, integrity, and availability of the system.

Such unauthorized access and potential data compromise could lead to violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.

Therefore, if exploited, this vulnerability could negatively impact compliance with these common standards and regulations by exposing sensitive data or disrupting system availability.

Detection Guidance

The vulnerability is a time-based blind SQL injection in the Search engine component of GLPI versions 11.0.0 to before 11.0.6. Detection typically involves sending specially crafted search queries that include SQL injection payloads and observing response delays or anomalies indicating SQL execution.

Since this is a time-based blind SQL injection, one common detection method is to inject payloads that cause a delay in the database response if the injection is successful. For example, sending search requests with payloads that include SQL commands like 'SLEEP(5)' or equivalent can help detect the vulnerability by measuring response times.

Specific commands or tools to detect this vulnerability are not provided in the available resources. However, penetration testing tools such as sqlmap can be used to test for time-based blind SQL injection by targeting the GLPI Search engine endpoint with appropriate parameters.

Mitigation is to upgrade GLPI to version 11.0.6 or later. As a temporary workaround, disabling anonymous access to the FAQ limits exploitation to authenticated users only.

Executive Summary

CVE-2026-26263 is a high-severity unauthenticated time-based blind SQL injection vulnerability in the Search engine component of GLPI, an open-source IT asset management software.

This vulnerability affects GLPI versions from 11.0.0 up to but not including 11.0.6 and allows an attacker to execute arbitrary SQL commands without any authentication.

The issue arises because GLPI constructs SQL queries using user-supplied input without properly sanitizing or escaping special SQL syntax elements, enabling attackers to manipulate the SQL commands executed by the backend database.

Impact Analysis

This vulnerability can have a high impact on confidentiality, integrity, and availability of the affected system.

  • Confidentiality: Unauthorized attackers can access sensitive data stored in the database.
  • Integrity: Attackers can modify or corrupt data by executing arbitrary SQL commands.
  • Availability: The system's availability can be disrupted, potentially causing service outages.

Since no authentication or user interaction is required, the vulnerability can be exploited remotely over the network, increasing the risk.

Mitigation Strategies

The primary mitigation step is to upgrade GLPI to version 11.0.6 or later, where this vulnerability is fixed.

As a workaround before upgrading, you can disable anonymous access to the FAQ, which limits exploitation to authenticated users only.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26263. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart