CVE-2026-26001 in glpi-inventory-plugin
Summary
by MITRE • 03/18/2026
The GLPI Inventory Plugin handles network discovery, inventory, software deployment, and data collection for GLPI agents. Prior to 1.6.6, non sanitized user input can lend to an SQL injection from reports, with adequate rights. This vulnerability is fixed in 1.6.6.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/23/2026
The GLPI Inventory Plugin represents a critical component within the GLPI ecosystem, serving as a bridge between organizational infrastructure and the centralized inventory management system. This plugin facilitates essential operations including network discovery, comprehensive asset inventory, software deployment mechanisms, and systematic data collection processes for GLPI agents. The vulnerability identified in versions prior to 1.6.6 stems from insufficient input sanitization practices within the plugin's reporting functionality. When users with appropriate administrative privileges access the reporting features, maliciously crafted input can bypass security controls and execute unauthorized SQL commands against the underlying database. This represents a classic SQL injection vulnerability that operates under the Common Weakness Enumeration framework as CWE-89, specifically targeting the improper neutralization of special elements used in SQL commands. The attack vector requires authenticated access with sufficient privileges, making it particularly dangerous in environments where administrative accounts maintain elevated permissions.
The operational impact of this vulnerability extends beyond simple data corruption or unauthorized access. Attackers exploiting this weakness could potentially extract sensitive organizational data, manipulate inventory records, or even escalate their privileges within the GLPI system. The vulnerability's exploitation occurs during report generation processes, which are fundamental to the plugin's functionality and typically accessed by users who require administrative capabilities. This means that the attack surface includes any user with sufficient rights to generate reports, potentially compromising the entire inventory management infrastructure. The security implications align with ATT&CK technique T1078.004, which addresses valid accounts with elevated privileges, and T1046, covering network service scanning that could lead to database enumeration. Organizations relying on GLPI for infrastructure management face significant risk of data exposure and system compromise when operating vulnerable plugin versions.
The remediation for this vulnerability requires immediate deployment of GLPI Inventory Plugin version 1.6.6 or later, which implements proper input sanitization measures to prevent SQL injection attacks. Security teams should conduct comprehensive assessments of their GLPI environments to identify all instances of the vulnerable plugin and ensure complete patch adoption across all systems. Additionally, organizations should implement network segmentation and access control measures to limit the impact of potential exploitation attempts, even when the primary vulnerability is patched. The fix demonstrates proper security engineering practices through input validation and parameterized query implementation, addressing the root cause rather than merely mitigating symptoms. Regular vulnerability scanning and penetration testing should be conducted to identify similar weaknesses in the broader GLPI ecosystem, as this vulnerability represents a potential indicator of broader security gaps in the system's architecture. The incident underscores the importance of maintaining updated security practices and the critical role of timely patch management in preventing exploitation of known vulnerabilities.