GLPI Template Injection RCE (CVE-2026-26026)

GLPI is a widely used open-source IT asset management software. A critical vulnerability, CVE-2026-26026, affects versions 11.0.0 to 11.0.5. This vulnerability stems from a template injection flaw that can be exploited by a logged-in administrator. Successful exploitation allows the administrator to achieve remote code execution (RCE) on the underlying server. The vulnerability was reported on April 6, 2026, and has been patched in version 11.0.6. Organizations using vulnerable versions of GLPI should upgrade immediately to prevent potential compromise. The high CVSS score (9.1) reflects the severity and potential impact of this vulnerability.

Attack Chain

1. An attacker gains administrative access to a vulnerable GLPI instance (versions 11.0.0 - 11.0.5).
2. The attacker navigates to a section of the GLPI interface that allows for template modification.
3. The attacker crafts a malicious template containing code injection payloads.
4. The attacker saves the modified template within the GLPI system.
5. The GLPI system processes the malicious template, executing the injected code.
6. The injected code allows the attacker to execute arbitrary commands on the server.
7. The attacker establishes a reverse shell to gain persistent access.
8. The attacker pivots to other systems or exfiltrates sensitive data.

Impact

Successful exploitation of CVE-2026-26026 can lead to complete compromise of the GLPI server. This allows an attacker to gain unauthorized access to sensitive IT asset information, customer data, and potentially other systems on the network. The impact is significant, as it allows for data breaches, service disruption, and further lateral movement within the organization’s infrastructure. Given GLPI’s function in managing IT assets, this can result in widespread damage across the organization.

Recommendation

• Immediately upgrade GLPI to version 11.0.6 or later to patch CVE-2026-26026.
• Review and audit GLPI administrator accounts for any suspicious activity or unauthorized access attempts.
• Deploy the Sigma rule “Detect GLPI Template Injection Attempts” to detect exploitation attempts in web server logs.
• Monitor web server logs for unusual POST requests to template management endpoints containing suspicious code constructs.
• Investigate any alerts generated by the “Detect GLPI Template Injection RCE” rule in your SIEM.
• Restrict network access to the GLPI server to only authorized personnel and systems.