CVE-2026-2751 Overview
CVE-2026-2751 is a blind SQL injection vulnerability in Centreon Web running on a Central Server. The flaw resides in the Service Dependencies module, where unsanitized array keys are passed into a SQL query during dependency deletion operations. An unauthenticated network-based attacker can manipulate the affected request to inject arbitrary SQL fragments. Successful exploitation allows attackers to read, modify, or destroy data in the Centreon backend database, including monitoring configuration and credentials. The issue is classified under [CWE-89] SQL Injection.
Critical Impact
Blind SQL injection in the Service Dependencies deletion handler enables remote attackers to compromise the confidentiality, integrity, and availability of the Centreon monitoring database without authentication or user interaction.
Affected Products
- Centreon Web on Central Server prior to 25.10.8
- Centreon Web on Central Server prior to 24.10.20
- Centreon Web on Central Server prior to 24.04.24
Discovery Timeline
- 2026-02-27 - CVE-2026-2751 published to NVD
- 2026-03-09 - Last updated in NVD database
Technical Details for CVE-2026-2751
Vulnerability Analysis
The vulnerability exists in the Service Dependencies module of Centreon Web. When an administrator or automation tool issues a deletion request, the application iterates over an array sent in the HTTP request. The code uses the array keys directly in SQL statements without applying parameterized queries or input sanitization. An attacker can craft array keys containing SQL syntax to alter the query logic. Because the application does not return query results in the response, the injection is blind. Attackers extract data using boolean conditions or time-based payloads such as SLEEP() to infer database content one character at a time.
Root Cause
The root cause is improper neutralization of special elements used in an SQL command [CWE-89]. The Service Dependencies deletion handler trusts client-supplied array keys and concatenates them into SQL queries. Parameterized queries, prepared statements, or strict allowlist validation on key names are not enforced before the values reach the database driver.
Attack Vector
Exploitation occurs over the network against the Centreon Central Server web interface. The attacker submits a crafted POST request to the Service Dependencies deletion endpoint with malicious array keys. No authentication is required, and no user interaction is needed. Successful exploitation can lead to extraction of monitoring credentials, modification of monitoring configuration, or escalation to remote command execution by abusing Centreon's poller and command features.
No public proof-of-concept exploit code has been released. For implementation specifics, refer to the Centreon Security Bulletin CVE-2026-2751.
Detection Methods for CVE-2026-2751
Indicators of Compromise
- HTTP POST requests to Service Dependencies endpoints containing SQL keywords such as SLEEP, BENCHMARK, UNION, SELECT, or -- inside array key names.
- Repeated requests with incrementally changing payloads, indicative of blind SQLi character extraction.
- Unexpected long response times on /centreon requests that target dependency deletion handlers.
- Database logs showing malformed queries originating from the Centreon Web application user.
Detection Strategies
- Inspect web server access logs for parameter names containing SQL metacharacters or comment sequences.
- Enable MySQL or MariaDB general query logging temporarily to identify anomalous queries from the Centreon application.
- Deploy WAF rules that flag SQL keywords appearing in HTTP parameter names, not only values.
- Correlate authentication state with access to Service Dependencies endpoints to detect unauthenticated probing.
Monitoring Recommendations
- Forward Centreon Apache or NGINX logs, PHP-FPM logs, and database logs to a centralized SIEM.
- Alert on outbound connections from the Centreon Central Server to non-monitored hosts, which may indicate post-exploitation activity.
- Track file integrity on Centreon configuration directories and the /usr/share/centreon web root.
- Monitor for new or modified poller commands, which attackers may abuse after database compromise.
How to Mitigate CVE-2026-2751
Immediate Actions Required
- Upgrade Centreon Web on Central Server to version 25.10.8, 24.10.20, or 24.04.24 or later, depending on the deployed branch.
- Restrict network access to the Centreon Central Server web interface to trusted administrative networks only.
- Review database accounts used by Centreon and rotate credentials if compromise is suspected.
- Audit Service Dependencies, poller commands, and monitoring configuration for unauthorized changes.
Patch Information
Centreon has released fixed versions 25.10.8, 24.10.20, and 24.04.24 that address the blind SQL injection in the Service Dependencies deletion path. Apply the appropriate patch for your maintenance branch following the vendor's upgrade procedure. Details are available in the Centreon Security Bulletin CVE-2026-2751.
Workarounds
- Place the Centreon Central Server behind a reverse proxy and require client certificate or VPN authentication for all web access.
- Deploy a Web Application Firewall ruleset that blocks SQL keywords and metacharacters within HTTP parameter names targeting Service Dependencies endpoints.
- Limit the privileges of the MySQL or MariaDB account used by Centreon to the minimum required, preventing access to unrelated databases.
- Disable or restrict access to the Service Dependencies module until patching is complete, where operationally feasible.
# Example Apache configuration snippet to restrict access to administrative networks
<Location "/centreon">
Require ip 10.0.0.0/8
Require ip 192.168.10.0/24
</Location>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
