CVE-2026-22821 Overview
CVE-2026-22821 is a SQL Injection vulnerability affecting the mreporting plugin for GLPI (Gestionnaire Libre de Parc Informatique). The vulnerability exists in versions prior to 1.9.4 and allows attackers to inject malicious SQL commands through date change functionality. This flaw stems from improper handling of user-controlled input in the $_SESSION['glpilanguage'] parameter, which is directly concatenated into SQL queries without proper sanitization.
Critical Impact
Authenticated attackers with high privileges can exploit this SQL injection vulnerability to extract sensitive data from the GLPI database, potentially exposing confidential IT asset management information, user credentials, and organizational infrastructure details.
Affected Products
- mreporting GLPI plugin versions prior to 1.9.4
- GLPI installations with vulnerable mreporting plugin enabled
Discovery Timeline
- 2026-02-12 - CVE CVE-2026-22821 published to NVD
- 2026-02-12 - Last updated in NVD database
Technical Details for CVE-2026-22821
Vulnerability Analysis
This SQL injection vulnerability (CWE-89) exists in the mreporting plugin's date handling functionality. The vulnerable code directly concatenates user session data into SQL queries without parameterization. Specifically, the $_SESSION['glpilanguage'] value is inserted directly into a SET lc_time_names SQL statement, allowing an attacker who can control or manipulate session data to inject arbitrary SQL commands.
The attack requires network access and high-level privileges within the GLPI system. While the authentication requirement limits the attack surface, successful exploitation could lead to high confidentiality impact through unauthorized data extraction from the underlying database.
Root Cause
The root cause is improper input validation and the use of string concatenation for building SQL queries instead of prepared statements with parameterized inputs. The vulnerable code in inc/baseclass.class.php constructs the SQL query by directly embedding the session language variable, bypassing any input sanitization mechanisms.
Attack Vector
The vulnerability is exploitable over the network by authenticated users with high privileges. An attacker would need to manipulate the $_SESSION['glpilanguage'] value or intercept and modify session data to include malicious SQL payloads. The injection point in the SET lc_time_names statement could be leveraged to execute additional SQL commands, extract database contents, or potentially modify data depending on the database configuration and permissions.
// Vulnerable code (before patch):
$query = "SET lc_time_names = '" . $_SESSION['glpilanguage'] . "'";
$DB->doQuery($query);
// Fixed code (after patch):
$query = "SET lc_time_names = ?";
$stmt = $DB->prepare($query);
$stmt->bind_param("s", $_SESSION['glpilanguage']);
$stmt->execute();
Source: GitHub Commit Changes
Detection Methods for CVE-2026-22821
Indicators of Compromise
- Unusual database queries containing SQL injection patterns in GLPI logs
- Unexpected session language values containing special SQL characters like single quotes, semicolons, or SQL keywords
- Database audit logs showing unauthorized data access or extraction attempts
- Anomalous activity from privileged GLPI user accounts
Detection Strategies
- Monitor web application logs for requests to mreporting plugin endpoints with suspicious parameter values
- Implement database query auditing to detect SQL injection attempts targeting the lc_time_names setting
- Deploy web application firewall (WAF) rules to detect SQL injection payloads in session-related parameters
- Review GLPI application logs for authentication anomalies or unusual administrative actions
Monitoring Recommendations
- Enable verbose logging for the GLPI application and mreporting plugin
- Configure database audit logging to capture all SET commands and unusual query patterns
- Implement alerting for multiple failed or suspicious database operations
- Monitor for session manipulation attempts or unusual session state changes
How to Mitigate CVE-2026-22821
Immediate Actions Required
- Upgrade the mreporting plugin to version 1.9.4 or later immediately
- Audit GLPI user accounts to ensure only necessary users have high-level privileges
- Review database access logs for any signs of exploitation prior to patching
- Consider temporarily disabling the mreporting plugin if immediate patching is not possible
Patch Information
The vulnerability has been fixed in mreporting version 1.9.4. The patch replaces direct string concatenation with prepared statements and parameterized queries to properly sanitize the $_SESSION['glpilanguage'] input. Organizations should update to the patched version by following the standard GLPI plugin update process.
For detailed patch information, refer to the GitHub Security Advisory GHSA-24q7-h59q-33w8 and the security commit.
Workarounds
- If immediate patching is not possible, restrict access to the mreporting plugin to only trusted administrative users
- Implement network-level restrictions to limit access to the GLPI application from trusted IP ranges only
- Deploy a web application firewall with SQL injection detection rules in front of the GLPI installation
- Consider temporarily disabling the mreporting plugin until the patch can be applied
# Update mreporting plugin via GLPI marketplace or manual update
cd /path/to/glpi/plugins/
# Backup current plugin
mv mreporting mreporting.backup
# Download and extract updated version 1.9.4+
wget https://github.com/pluginsGLPI/mreporting/releases/download/1.9.4/glpi-mreporting-1.9.4.tar.bz2
tar -xjf glpi-mreporting-1.9.4.tar.bz2
# Set appropriate permissions
chown -R www-data:www-data mreporting
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
