CVE-2026-26988 Overview
LibreNMS, an auto-discovering PHP/MySQL/SNMP-based network monitoring tool, contains a critical SQL Injection vulnerability in the ajax_table.php endpoint. The application fails to properly sanitize or parameterize user input when processing IPv6 address searches. Specifically, the address parameter is split into an address and a prefix, and the prefix portion is directly concatenated into the SQL query string without validation. This allows an attacker to inject arbitrary SQL commands, potentially leading to unauthorized data access or database manipulation.
Critical Impact
Unauthenticated attackers can exploit this SQL Injection vulnerability to access, modify, or exfiltrate sensitive network monitoring data from the underlying database, potentially compromising the entire network monitoring infrastructure.
Affected Products
- LibreNMS versions 25.12.0 and below
- LibreNMS network monitoring installations using IPv6 address search functionality
- All deployments with the vulnerable ajax_table.php endpoint exposed
Discovery Timeline
- 2026-02-20 - CVE-2026-26988 published to NVD
- 2026-02-20 - Last updated in NVD database
Technical Details for CVE-2026-26988
Vulnerability Analysis
This SQL Injection vulnerability (CWE-89) exists in the address search functionality of LibreNMS. When users search for IPv6 addresses through the ajax_table.php endpoint, the application processes the input by splitting it into address and prefix components. The fundamental security flaw lies in how the prefix portion is handled—it is directly concatenated into the SQL query string without proper sanitization, parameterization, or validation.
The vulnerability is network-accessible and requires no authentication or user interaction to exploit, making it particularly dangerous for internet-facing LibreNMS deployments. An attacker can craft malicious IPv6 address search queries that inject arbitrary SQL commands into the backend database queries.
Root Cause
The root cause stems from improper input validation and the use of string concatenation for SQL query construction rather than parameterized queries. When the application receives an IPv6 address search request, it parses the address parameter to extract a prefix value. This prefix value is then directly interpolated into the SQL query without being passed through prepared statement bindings or input sanitization routines. This classic SQL Injection pattern allows attackers to break out of the intended query context and execute arbitrary SQL commands.
Attack Vector
The attack vector is network-based, targeting the ajax_table.php endpoint's IPv6 address search functionality. An attacker can submit a crafted HTTP request containing a malicious IPv6 address parameter with SQL injection payloads embedded in the prefix portion. Since the vulnerability requires no authentication, any network user with access to the LibreNMS web interface can potentially exploit this flaw. Successful exploitation could allow attackers to:
- Extract sensitive network device information and credentials stored in the database
- Modify monitoring configurations and alert thresholds
- Delete critical monitoring data
- Potentially escalate to further system compromise depending on database permissions
The security patch rewrites the address search backend to use proper parameterized queries through Laravel's Eloquent ORM:
+<?php
+
+/**
+ * SearchController.php
+ *
+ * -Description-
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ *
+ * @link https://www.librenms.org
+ *
+ * @copyright 2026 Tony Murray
+ * @author Tony Murray <murraytony@gmail.com>
+ */
+
+namespace App\Http\Controllers\Table;
+
+use App\Models\Port;
+use Illuminate\Contracts\Database\Query\Expression;
Source: GitHub Commit
Detection Methods for CVE-2026-26988
Indicators of Compromise
- Anomalous HTTP requests to ajax_table.php containing unusual IPv6 address patterns with SQL syntax characters (single quotes, semicolons, UNION, SELECT keywords)
- Database query logs showing unexpected SQL commands or syntax errors originating from address search operations
- Unusual database access patterns or data exfiltration attempts from LibreNMS tables
- Web server access logs with encoded SQL injection payloads in address search parameters
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns in requests to the ajax_table.php endpoint
- Enable and monitor database query logging for suspicious queries containing UNION-based or time-based SQL injection signatures
- Deploy intrusion detection systems (IDS) with signatures for common SQL injection attack patterns targeting PHP applications
- Configure application-level logging to capture and alert on malformed IPv6 address search requests
Monitoring Recommendations
- Monitor LibreNMS web server access logs for requests containing SQL injection indicators such as UNION SELECT, OR 1=1, or encoded variants
- Implement database activity monitoring to detect unusual query patterns or unauthorized data access
- Set up alerts for failed database queries or syntax errors that may indicate exploitation attempts
- Review authentication logs for any unauthorized access following potential SQL injection exploitation
How to Mitigate CVE-2026-26988
Immediate Actions Required
- Upgrade LibreNMS to version 26.2.0 or later immediately to address this critical vulnerability
- If immediate upgrade is not possible, restrict network access to the LibreNMS web interface to trusted IP addresses only
- Implement WAF rules to block SQL injection patterns targeting the ajax_table.php endpoint
- Review database access logs for signs of prior exploitation and potential data breach
Patch Information
LibreNMS has released version 26.2.0 which contains the security fix for this vulnerability. The patch rewrites the address search backend to use parameterized queries through Laravel's Eloquent ORM, eliminating the SQL injection vector. The fix is available via the official GitHub commit and documented in the GitHub Security Advisory. The associated pull request #18777 provides additional context on the implementation.
Workarounds
- Restrict access to the LibreNMS web interface using firewall rules or reverse proxy authentication until patching is complete
- Disable or restrict access to the IPv6 address search functionality if not required for operations
- Implement network segmentation to limit database access from the web application server
- Deploy a WAF with SQL injection detection capabilities in front of the LibreNMS application
# Configuration example - Restrict LibreNMS access using iptables
# Allow only trusted management networks to access LibreNMS
iptables -A INPUT -p tcp --dport 443 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
