CVE-2026-26001 is an SQL injection vulnerability classified under CWE-89, affecting the GLPI Inventory Plugin, a component used for network discovery, inventory management, software deployment, and data collection within the GLPI ecosystem. The vulnerability exists in versions prior to 1.6.6 due to improper neutralization of special elements in SQL commands generated from user-supplied input in report functionalities. Specifically, the plugin fails to adequately sanitize or parameterize inputs, enabling an attacker with sufficient privileges to craft malicious SQL queries that can manipulate the backend database. The CVSS 3.1 base score of 7.1 reflects a network attack vector with low attack complexity, requiring privileges but no user interaction, and resulting in high confidentiality impact, limited integrity impact, and no availability impact. The vulnerability allows unauthorized reading of sensitive data stored in the database and potential modification of some data elements, though it does not enable denial of service. The flaw was publicly disclosed in March 2026, with no known exploits in the wild reported to date. Remediation involves upgrading to version 1.6.6 or later, where input validation and query parameterization have been implemented to neutralize this threat.

The primary impact of CVE-2026-26001 is unauthorized disclosure of sensitive information stored within the GLPI Inventory Plugin's database, which may include detailed network inventory, software deployment records, and agent data. This can lead to exposure of internal IT infrastructure details, aiding further targeted attacks or espionage. Partial integrity compromise could allow attackers to alter some inventory data, potentially disrupting asset management accuracy and operational decisions. Although availability is not affected, the confidentiality breach alone can have severe consequences for organizations relying on GLPI for IT asset management. Organizations in sectors such as government, finance, healthcare, and large enterprises with extensive IT infrastructure are at higher risk due to the critical nature of their data and the strategic value of their network inventories. The requirement for privileges limits exploitation to insiders or attackers who have already gained some level of access, but the low complexity and network accessibility make it a significant risk if left unpatched.

To mitigate CVE-2026-26001, organizations should immediately upgrade the GLPI Inventory Plugin to version 1.6.6 or later, where the vulnerability has been patched through proper input sanitization and query parameterization. Additionally, restrict plugin access to trusted users with the minimum necessary privileges to reduce the risk of exploitation. Implement network segmentation and access controls to limit exposure of the GLPI management interface to only authorized personnel. Regularly audit user privileges and monitor database query logs for suspicious activity indicative of SQL injection attempts. Employ web application firewalls (WAFs) with SQL injection detection rules as an additional protective layer. Conduct security training for administrators to recognize and respond to potential exploitation attempts. Finally, maintain up-to-date backups of GLPI data to ensure recovery in case of data integrity issues.