GLPI (Gestionnaire Libre de Parc Informatique) is an open-source IT asset and service management software widely used for inventory, helpdesk, and ITIL processes. CVE-2026-25936 is a SQL injection vulnerability classified under CWE-89, indicating improper neutralization of special elements used in SQL commands. This vulnerability exists in GLPI versions starting from 11.0.0 up to 11.0.5 inclusive. An authenticated user can craft malicious input that is improperly sanitized before being incorporated into SQL queries, allowing execution of arbitrary SQL commands on the backend database. This can lead to unauthorized disclosure of sensitive information stored in the database. The vulnerability requires authentication but no additional user interaction, and the attack vector is network-based. The CVSS v3.1 base score is 6.5 (medium severity), reflecting high impact on confidentiality but no impact on integrity or availability. The vulnerability was publicly disclosed on March 17, 2026, and fixed in version 11.0.6. No known exploits have been reported in the wild, but the presence of this flaw in a popular IT management tool poses a significant risk if left unpatched.

The primary impact of this vulnerability is unauthorized disclosure of sensitive data managed by GLPI, including IT asset inventories, user information, and helpdesk tickets. Attackers with valid credentials can exploit the SQL injection to extract confidential information from the database, potentially leading to data breaches and compliance violations. Although the vulnerability does not allow modification or deletion of data (no integrity impact) or denial of service (no availability impact), the exposure of sensitive internal data can facilitate further attacks or insider threats. Organizations relying on GLPI for IT asset management and service desk operations worldwide could face reputational damage, regulatory penalties, and operational risks if this vulnerability is exploited. The requirement for authentication limits exposure to internal or compromised users, but insider threats or credential theft scenarios remain critical concerns.

Organizations should immediately upgrade GLPI installations to version 11.0.6 or later, where this vulnerability is patched. Until upgrade is possible, restrict access to GLPI to trusted users and networks, enforce strong authentication mechanisms, and monitor for unusual database query patterns or access attempts. Employ web application firewalls (WAFs) with SQL injection detection rules tailored to GLPI traffic to provide an additional layer of defense. Conduct regular audits of user privileges to minimize the number of users with access to GLPI. Additionally, review database logs for suspicious queries indicative of SQL injection attempts. Developers maintaining GLPI customizations should review code for similar SQL injection risks and apply parameterized queries or prepared statements consistently. Finally, maintain an incident response plan to quickly address any suspected exploitation.