CVE-2026-29047
Published: 06 April 2026
Summary
CVE-2026-29047 is a high-severity SQL Injection (CWE-89) vulnerability in Glpi-Project Glpi. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 1.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents SQL injection attacks by enforcing input validation mechanisms on user-supplied data in the GLPI logs export feature.
Mitigates the vulnerability by requiring timely identification, reporting, and patching of the SQL injection flaw to fixed GLPI versions 10.0.24 or 11.0.6.
Enables detection of the SQL injection vulnerability through regular vulnerability scanning of the GLPI application.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in a web-based IT asset management application (GLPI) directly enables remote exploitation of a public-facing service (T1190) by an authenticated high-privileged user; the resulting arbitrary SQL execution provides direct access to the backend database (T1213.006), allowing high-impact data confidentiality, integrity, and availability effects.
NVD Description
GLPI is a free asset and IT management software package. From 10.0.0 to before 10.0.24 and 11.0.6, an authenticated user can perform a SQL injection via the logs export feature. This vulnerability is fixed in 10.0.24 and 11.0.6.
Deeper analysisAI
CVE-2026-29047 is a SQL injection vulnerability (CWE-89) affecting GLPI, a free open-source asset and IT management software package. The flaw exists in the logs export feature and impacts versions from 10.0.0 up to but not including 10.0.24, as well as versions prior to 11.0.6. Published on 2026-04-06, it carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
An authenticated user with high privileges (PR:H) can exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L) and without requiring user interaction (UI:N). Exploitation enables the attacker to execute arbitrary SQL queries, potentially resulting in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H) of the affected GLPI instance.
The vulnerability is fixed in GLPI versions 10.0.24 and 11.0.6. Additional details on the issue and remediation are available in the official security advisory at https://github.com/glpi-project/glpi/security/advisories/GHSA-3m49-qf92-vccr.
Details
- CWE(s)