CVE-2026-26001 is a vulnerability classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), commonly known as SQL injection, affecting the GLPI Inventory Plugin, a component used for network discovery, inventory management, software deployment, and data collection within the GLPI IT asset management ecosystem. Specifically, versions of the plugin prior to 1.6.6 fail to properly sanitize user-supplied input in the reporting functionality. This flaw allows an authenticated user with sufficient privileges to craft malicious SQL queries that the backend database executes. The vulnerability does not require user interaction beyond authentication and can be exploited remotely over the network (AV:N). The attack complexity is low (AC:L), meaning exploitation is straightforward once access is obtained. The impact primarily affects confidentiality (C:H), allowing attackers to read sensitive data from the database, with a lesser impact on integrity (I:L) due to potential unauthorized modifications. Availability is not impacted (A:N). The vulnerability was publicly disclosed on March 17, 2026, with no known exploits in the wild at the time of disclosure. The issue is resolved in GLPI Inventory Plugin version 1.6.6, which includes proper input validation and sanitization to prevent SQL injection. The vulnerability is significant because GLPI is widely used in enterprise environments for IT asset and inventory management, making the plugin a critical component for maintaining accurate and secure infrastructure data.

The primary impact of CVE-2026-26001 is unauthorized disclosure of sensitive information stored within the GLPI Inventory Plugin's backend database. Attackers exploiting this vulnerability can access confidential data related to network assets, software inventories, and potentially user information, which could facilitate further attacks or data breaches. The integrity of the inventory data may also be partially compromised, undermining trust in asset management processes. Although availability is not affected, the breach of confidentiality and integrity can lead to significant operational and compliance risks, including violation of data protection regulations. Organizations relying on GLPI for IT asset management could face increased risk of targeted attacks, espionage, or internal misuse if this vulnerability is exploited. The requirement for authenticated access limits exposure to some extent but does not eliminate risk, especially in environments with many users or weak access controls. The lack of known exploits in the wild suggests limited immediate threat, but the ease of exploitation and high impact warrant urgent remediation.

To mitigate CVE-2026-26001, organizations should immediately upgrade the GLPI Inventory Plugin to version 1.6.6 or later, where the vulnerability is patched. Until the upgrade is applied, restrict plugin access to trusted users only and enforce the principle of least privilege to minimize the number of users with adequate rights to exploit the vulnerability. Implement strong authentication mechanisms and monitor user activity for suspicious behavior indicative of SQL injection attempts. Additionally, deploy web application firewalls (WAFs) with rules designed to detect and block SQL injection patterns targeting GLPI endpoints. Conduct regular security audits and code reviews of custom GLPI plugins or integrations to ensure input validation best practices are followed. Maintain up-to-date backups of GLPI databases to enable recovery in case of data integrity compromise. Finally, educate administrators and users about the risks of SQL injection and the importance of applying security patches promptly.