CVE-2026-26988 & CVE-2026-26990: Critical SQL Injection Flaws Rock LibreNMS — Public PoC Raises Urgent Upgrade Warning

Aegiron 9 mins0

LibreNMS — Product Overview

Product: LibreNMS
Type: Open-source network monitoring system
Technology Stack: PHP application with MySQL/MariaDB backend
Affected Area: ajax_table.php (Address search functionality)
Affected Versions: All versions prior to 26.2.0
Fixed Version: 26.2.0

LibreNMS is widely deployed inside enterprise networks to monitor routers, switches, firewalls, and servers. Because it usually has access to sensitive infrastructure data and credentials, any SQL injection vulnerability in this platform carries elevated risk.

Two critical SQL Injection vulnerabilities were identified in the address search feature. Both issues stem from improper handling of user-supplied input that is inserted directly into SQL queries without strict parameterization.

Vulnerability Summary Table

FieldCVE-2026-26988CVE-2026-26990
Vulnerability TypeSQL InjectionTime-Based Blind SQL Injection
Componentajax_table.phpajax_table.php
Attack VectorNetworkNetwork
AuthenticationMay depend on exposureAuthenticated user required
ImpactData extraction, DB manipulationData extraction via timing inference
CVSS (Estimated)High / Critical rangeHigh (8.8 range reported)
Exploit AvailabilityPublic PoC disclosedPublic PoC disclosed
Patch Version26.2.026.2.0
CWECWE-89 (SQL Injection)

CVE-2026-26988 — SQL Injection in ajax_table.php

Technical Description

The vulnerability was caused by unsanitized input being concatenated into a SQL query. Specifically, the address parameter was split using the / character. The portion after the slash (prefix) was directly embedded inside a SQL condition:

AND ipv6_prefixlen = '$prefix'

Because proper prepared statements were not enforced in this code path, attackers were able to inject arbitrary SQL by manipulating the prefix value.

If a single quote (') was injected, the SQL string context was broken and attacker-controlled SQL statements could be appended.

Impact

If exploited successfully:

  • Database contents could be read
  • User password hashes could be extracted
  • Configuration data could be modified
  • Monitoring credentials could be disclosed
  • Administrative accounts could potentially be compromised

If the LibreNMS instance was internet-facing, exposure risk was significantly higher.

CVE-2026-26990 — Time-Based Blind SQL Injection

Technical Description

This vulnerability existed in the same endpoint but allowed blind extraction of data using time delays.

Instead of returning visible SQL errors or output, attackers were able to inject conditional SQL statements using functions like:

  • SLEEP()
  • IF()
  • BENCHMARK()

By measuring server response time, attackers were able to infer database values character by character.

This attack required authentication, meaning a valid user session was necessary to exploit it.

Educational PoC Pattern

For demonstration purposes only:

address=127.0.0.1/1' AND IF(ASCII(SUBSTRING((SELECT user()),1,1))>64,SLEEP(5),0)-- -

If the response delayed by 5 seconds, the condition evaluated as true. By automating such requests, full database content extraction became possible.

This technique is known as binary search inference via timing.

Exploitation Scenarios

  1. An authenticated low-privilege user logs into LibreNMS.
  2. The user sends crafted POST requests to /ajax_table.php.
  3. Malicious SQL is injected via the address parameter.
  4. The database executes injected SQL.
  5. Sensitive data is retrieved or manipulated.

In blind exploitation, repeated requests are sent with varying payloads to extract data progressively.

MITRE ATT&CK Mapping

  • T1190 – Exploit Public-Facing Application
  • T1505.003 – Web Shell (if post-exploitation achieved)
  • T1005 – Data from Local System
  • T1041 – Exfiltration Over C2 Channel

Indicators of Compromise

The following behavioral patterns were commonly observed during testing:

  • Repeated POST requests to /ajax_table.php
  • address parameter containing:
    • '
    • %27
    • SLEEP(
    • BENCHMARK(
    • --
    • /*
  • Noticeable 3–10 second response delays
  • Large volumes of nearly identical requests from same IP
  • Database slow query logs showing SLEEP() execution

Log Sources for Detection

  • Web Server Access Logs (Apache / Nginx)
  • Web Application Firewall Logs
  • PHP Error Logs
  • MySQL/MariaDB General Logs
  • Database Slow Query Logs
  • Authentication Logs
  • Reverse Proxy Logs

Detection Rules

Suricata IDS Rule

alert http any any -> any any (msg:"Possible LibreNMS SQLi Attempt - ajax_table.php address param"; 
flow:to_server,established; 
http.method; content:"POST"; 
http.uri; content:"/ajax_table.php"; 
http.client_body; pcre:"/address=[^&]*\/[^&]*(\'|%27|sleep\(|benchmark\(|--|\/\*)/i"; 
sid:10026988; rev:1;)

Snort Rule

alert tcp any any -> any 80 (msg:"LibreNMS SQL Injection Attempt"; 
flow:to_server,established; 
content:"POST"; http_method; 
content:"/ajax_table.php"; http_uri; 
pcre:"/address=.*\/.*(\'|%27|SLEEP\(|BENCHMARK\(|--)/i"; 
sid:10026990; rev:1;)

Splunk Detection Query

index=web sourcetype=access_combined 
"/ajax_table.php" AND "POST" 
| regex _raw="address=.*(\\'|%27|sleep\\(|benchmark\\(|--)"
| stats count by src_ip
| where count > 5

Elastic (KQL)

url.path : "/ajax_table.php" and 
http.request.method : "POST" and 
http.request.body.content : ("'","%27","sleep(","benchmark(","--")

MySQL Detection Query

SELECT * FROM mysql.general_log
WHERE argument LIKE '%SLEEP(%'
OR argument LIKE '%BENCHMARK(%';

Risk Assessment

The risk level was considered high because:

  • SQL injection directly impacts database integrity and confidentiality.
  • LibreNMS typically stores device credentials and monitoring data.
  • Time-based SQL injection enables stealthy extraction.
  • Public PoC code was released.

Even if authentication was required, privilege escalation could follow once database hashes were obtained.

Remediation

Immediate Actions

  • Upgrade to LibreNMS 26.2.0 immediately.
  • Restrict access to the LibreNMS interface.
  • Enable WAF protection if externally accessible.
  • Review logs for suspicious POST patterns.
  • Rotate credentials if compromise suspected.

Official Patch / Upgrade

Upgrade instructions and official release:

https://community.librenms.org/t/26-2-0-release-announcement/29091
https://github.com/librenms/librenms/releases/tag/26.2.0

Only official vendor resources should be used for patching.

Post-Upgrade Validation Checklist

  • Confirm application version shows 26.2.0
  • Test address search functionality
  • Verify no SQL errors appear in logs
  • Confirm WAF signatures are active
  • Conduct internal vulnerability scan
  • Review authentication logs for anomalies

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.