CVE-2026-25936 Overview
CVE-2026-25936 is a SQL injection vulnerability in GLPI, an open-source asset and IT management software package maintained by Teclib. The flaw affects GLPI versions starting at 11.0.0 and prior to 11.0.6. An authenticated user can inject malicious SQL statements through the application, enabling unauthorized database access. The vulnerability is categorized under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). Teclib resolved the issue in GLPI version 11.0.6.
Critical Impact
Authenticated attackers can execute arbitrary SQL queries against the GLPI database, leading to disclosure, modification, or destruction of asset, ticket, and user data.
Affected Products
- GLPI version 11.0.0 through 11.0.5
- Teclib GLPI asset and IT management platform
- Self-hosted GLPI deployments running vulnerable releases
Discovery Timeline
- 2026-03-17 - CVE-2026-25936 published to the National Vulnerability Database
- 2026-03-19 - Last updated in NVD database
Technical Details for CVE-2026-25936
Vulnerability Analysis
GLPI is a PHP-based asset and service management platform widely deployed for IT inventory, helpdesk ticketing, and configuration management. CVE-2026-25936 introduces a SQL injection path that an authenticated user can reach through normal application functionality. The flaw allows attacker-controlled input to influence the structure of SQL statements executed by the backend database.
Successful exploitation provides high impact across confidentiality, integrity, and availability. An attacker with valid credentials can read arbitrary tables, modify records, or disrupt database operations. Because GLPI commonly stores inventory data, credentials, and ticket histories, the data exposure scope is broad.
Root Cause
The root cause is improper neutralization of user-supplied input before it is incorporated into SQL queries. The vulnerable code path concatenates or insufficiently parameterizes input prior to execution. The Teclib advisory linked below contains additional context on the fix. See the GitHub Security Advisory GHSA-qw3x-7vv2-7759 for technical details.
Attack Vector
The attack vector is network-based and requires low privileges. An authenticated GLPI user submits crafted parameters to a vulnerable endpoint. No user interaction from another party is required, and the attack can be automated against exposed GLPI portals. Because GLPI is often reachable over corporate networks or the public internet, the practical reach of this flaw is wide.
No public proof-of-concept code is currently available. The vulnerability mechanism is described in prose because no verified exploit samples have been released.
Detection Methods for CVE-2026-25936
Indicators of Compromise
- Unusual HTTP POST or GET requests to GLPI endpoints containing SQL keywords such as UNION, SELECT, SLEEP, or INFORMATION_SCHEMA.
- Database error messages logged in php_errors.log or the web server error log referencing malformed SQL queries.
- Unexpected administrative actions or data exports performed by low-privilege GLPI accounts.
Detection Strategies
- Inspect GLPI application logs for repeated requests from a single authenticated session to parameterized endpoints with anomalous payloads.
- Deploy a web application firewall ruleset tuned for SQL injection signatures in front of the GLPI portal.
- Correlate authenticated session activity with database query logs to identify queries that deviate from normal GLPI ORM patterns.
Monitoring Recommendations
- Enable MySQL or MariaDB general query logging on GLPI database hosts during incident response windows.
- Alert on authenticated GLPI accounts triggering database errors at elevated rates.
- Track GLPI version strings across all instances to confirm patch status against version 11.0.6.
How to Mitigate CVE-2026-25936
Immediate Actions Required
- Upgrade all GLPI instances to version 11.0.6 or later without delay.
- Audit GLPI user accounts and disable inactive or unnecessary authenticated users that could be leveraged for exploitation.
- Rotate database credentials and GLPI API tokens if compromise is suspected.
Patch Information
Teclib released GLPI version 11.0.6 to remediate CVE-2026-25936. Administrators should review the vendor advisory and follow the standard GLPI upgrade procedure, including database schema migration steps.
Workarounds
- Restrict access to the GLPI web interface using network controls or VPN gating until the patch is applied.
- Enforce strong authentication and multi-factor authentication for all GLPI user accounts to limit the attacker pool.
- Apply WAF rules that block common SQL injection payloads targeting GLPI endpoints as a temporary compensating control.
# Configuration example: upgrade GLPI to the patched release
cd /var/www/glpi
php bin/console glpi:maintenance:enable
# Replace source with GLPI 11.0.6 release archive
php bin/console glpi:database:update --allow-unstable
php bin/console glpi:maintenance:disable
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
