CVE-2026-29047 Overview
CVE-2026-29047 is a SQL Injection vulnerability affecting GLPI, a widely-used free asset and IT management software package. The vulnerability exists in the logs export feature and can be exploited by authenticated users to perform SQL injection attacks. This flaw allows attackers with valid credentials to manipulate database queries, potentially leading to unauthorized data access, data modification, or complete database compromise.
Critical Impact
Authenticated attackers can exploit the logs export feature to execute arbitrary SQL commands, potentially compromising the entire GLPI database including sensitive asset management data, user credentials, and IT infrastructure information.
Affected Products
- GLPI versions 10.0.0 to before 10.0.24
- GLPI versions 11.0.0 to before 11.0.6
- glpi-project glpi
Discovery Timeline
- 2026-04-06 - CVE-2026-29047 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2026-29047
Vulnerability Analysis
This SQL Injection vulnerability (CWE-89) resides within the logs export functionality of GLPI. When an authenticated user accesses the logs export feature, user-supplied input is inadequately sanitized before being incorporated into SQL queries. This allows attackers to inject malicious SQL statements that execute with the privileges of the database user configured for the GLPI application.
The vulnerability requires network access and low-privilege authentication to exploit, but once exploited, it can result in complete compromise of confidentiality, integrity, and availability of the database. An attacker could potentially extract sensitive asset management data, modify records, create new administrative accounts, or delete critical IT management information.
Root Cause
The root cause of CVE-2026-29047 is improper input validation and insufficient parameterization of SQL queries in the logs export feature. User-controlled input passed to database queries is not properly escaped or handled through prepared statements, allowing SQL metacharacters to break out of the intended query context and execute attacker-controlled SQL commands.
Attack Vector
The attack requires an authenticated user to access the logs export functionality within GLPI. The attacker can craft malicious input containing SQL injection payloads that, when processed by the application, alter the structure of the underlying SQL query. This network-based attack does not require any user interaction beyond the attacker's own authentication, making exploitation straightforward once valid credentials are obtained.
The logs export feature accepts parameters that are directly concatenated into SQL queries without proper sanitization. An attacker can inject SQL statements such as UNION-based queries to extract data from other tables, time-based blind injection techniques for data exfiltration, or stacked queries to modify database content depending on the database configuration.
Detection Methods for CVE-2026-29047
Indicators of Compromise
- Unusual or malformed requests to the logs export endpoint containing SQL metacharacters such as single quotes, semicolons, or UNION keywords
- Database error messages appearing in application logs related to the logs export feature
- Unexpected database query patterns or long-running queries originating from the GLPI application
- Evidence of data exfiltration or unauthorized database access in audit logs
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns in requests to GLPI
- Monitor application logs for failed SQL queries or database errors that may indicate exploitation attempts
- Configure database auditing to track unusual SELECT statements or data access patterns
- Review authentication logs for accounts making repeated requests to the logs export functionality
Monitoring Recommendations
- Enable detailed logging for the GLPI logs export feature and monitor for anomalous activity
- Set up alerts for database queries containing suspicious keywords like UNION, SELECT, or comment sequences
- Monitor network traffic for unusually large responses from the logs export endpoint that may indicate data exfiltration
- Implement user behavior analytics to detect authenticated users accessing the logs export feature with unusual frequency
How to Mitigate CVE-2026-29047
Immediate Actions Required
- Upgrade GLPI to version 10.0.24 or later for the 10.x branch
- Upgrade GLPI to version 11.0.6 or later for the 11.x branch
- Review database access logs for any signs of exploitation prior to patching
- Audit user accounts with access to the logs export feature and revoke unnecessary permissions
Patch Information
GLPI has released security patches addressing this vulnerability. Users running GLPI versions 10.0.0 through 10.0.23 should upgrade to version 10.0.24 or later. Users running GLPI 11.x versions prior to 11.0.6 should upgrade to version 11.0.6 or later. The patches implement proper input sanitization and parameterized queries to prevent SQL injection attacks in the logs export feature. For detailed information, consult the GitHub Security Advisory GHSA-3m49-qf92-vccr.
Workarounds
- Restrict access to the logs export feature to only essential administrative users until patching is complete
- Implement WAF rules to block requests containing SQL injection patterns targeting GLPI
- Use network segmentation to limit access to the GLPI application from untrusted networks
- Configure database user permissions with least privilege to minimize the impact of successful exploitation
# Example: Restrict logs export access via Apache configuration
<Location "/glpi/front/log.php">
Require group glpi-admins
</Location>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
