CVE-2026-26990
Published: 20 February 2026
Summary
CVE-2026-26990 is a high-severity SQL Injection (CWE-89) vulnerability in Librenms Librenms. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 0.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the SQL injection by requiring validation and sanitization of the unparameterized address parameter before concatenation into SQL queries.
Ensures timely patching of the LibreNMS SQL injection flaw, as fixed in version 26.2.0 with proper parameterization.
Vulnerability scanning identifies the time-based blind SQL injection in address-search.inc.php for remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in accessible web app (LibreNMS) directly enables T1190 exploitation for initial access/data impact; time-based blind queries facilitate T1213.006 collection from the backend database.
NVD Description
LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below have a Time-Based Blind SQL Injection vulnerability in address-search.inc.php via the address parameter. When a crafted subnet prefix is supplied, the prefix value is concatenated directly into…
more
an SQL query without proper parameter binding, allowing an attacker to manipulate query logic and infer database information through time-based conditional responses. This vulnerability requires authentication and is exploitable by any authenticated user. This issue has been fixedd in version 26.2.0.
Deeper analysisAI
CVE-2026-26990 is a Time-Based Blind SQL Injection vulnerability affecting LibreNMS, an auto-discovering PHP/MySQL/SNMP-based network monitoring tool. The issue resides in the address-search.inc.php file, where the address parameter accepts a crafted subnet prefix that is directly concatenated into an SQL query without proper parameter binding. This flaw impacts versions 25.12.0 and earlier, carrying a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and mapping to CWE-89 (SQL Injection).
Any authenticated user can exploit this vulnerability remotely with low complexity, as it requires only valid credentials to access the affected endpoint. By supplying a malicious subnet prefix, an attacker can manipulate the SQL query logic and infer sensitive database information through time-based conditional responses, such as delays triggered by functions like SLEEP(). The high CVSS impact ratings indicate potential for significant confidentiality, integrity, and availability compromises, including data extraction or modification.
The vulnerability has been addressed in LibreNMS version 26.2.0. Official mitigation details are available in the GitHub security advisory (GHSA-79q9-wc6p-cf92), the fixing pull request (#18777), and the commit (15429580baba03ed1dd377bada1bde4b7a1175a1), which implement proper parameterization to prevent injection. Security practitioners should upgrade to the patched version and review access controls for authenticated users.
Details
- CWE(s)