CVE-2026-26990
📋 TL;DR
LibreNMS versions 25.12.0 and below contain a time-based blind SQL injection vulnerability in the address-search functionality. Authenticated attackers can exploit this to infer database information by manipulating query logic through crafted subnet prefixes. This affects any LibreNMS installation with authenticated users.
💻 Affected Systems
- LibreNMS
📦 What is this software?
Librenms by Librenms
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including sensitive configuration data, user credentials, and network monitoring information leading to lateral movement within the network.
Likely Case
Data exfiltration of network monitoring information, configuration details, and potentially user credentials from the database.
If Mitigated
Limited impact due to proper network segmentation, minimal user privileges, and database access controls preventing sensitive data exposure.
🎯 Exploit Status
Exploitation requires authentication but any authenticated user can exploit; time-based blind SQL injection requires more sophisticated exploitation than standard SQLi.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 26.2.0
Vendor Advisory: https://github.com/librenms/librenms/security/advisories/GHSA-79q9-wc6p-cf92
Restart Required: No
Instructions:
1. Backup your LibreNMS installation and database. 2. Update LibreNMS to version 26.2.0 or later using git: 'git pull origin master'. 3. Run database updates: './daily.sh'. 4. Verify the fix by checking the version.
🔧 Temporary Workarounds
Restrict User Access
allLimit authenticated user access to only trusted administrators until patching can be completed.
Input Validation Filter
allImplement web application firewall rules or input validation to block SQL injection patterns in the address parameter.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate LibreNMS from sensitive systems
- Enable detailed logging and monitoring for SQL injection attempts in application logs
🔍 How to Verify
Check if Vulnerable:
Check LibreNMS version: 'grep 'version' /opt/librenms/includes/vars.php' or via web interface. If version is 25.12.0 or below, system is vulnerable.Check Version:
grep "\$config['version']" /opt/librenms/includes/vars.phpVerify Fix Applied:
Verify version is 26.2.0 or later and check that the address-search.inc.php file includes proper parameter binding (refer to commit 15429580baba03ed1dd377bada1bde4b7a1175a1).📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple requests with varying address parameters causing delayed responses
- Patterns of SQL injection attempts in web server logs
Network Indicators:
- Unusual database connection patterns from LibreNMS application server
- Time-delayed responses to address search requests
SIEM Query:
source="librenms_logs" AND (address_search OR address_parameter) AND (sql OR injection OR sleep OR benchmark)