Executive Summary
CVE-2026-26026 is a critical server-side template injection (SSTI) vulnerability in GLPI, the widely deployed open-source IT asset and service management platform. The flaw affects versions 11.0.0 through 11.0.5 and allows an authenticated administrator to inject malicious template directives that the server executes, resulting in remote code execution (RCE) under the web server's process identity.
The vulnerability carries a CVSS score of 9.1 and has been patched in GLPI 11.0.6, released April 6, 2026.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-26026 |
| CVSS Score | 9.1 (Critical) |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | High (Administrator) |
| User Interaction | None |
| Affected Software | GLPI 11.0.0 – 11.0.5 |
| Vulnerability Type | Server-Side Template Injection (SSTI) |
| Impact | Remote Code Execution |
| Patch Available | Yes — GLPI 11.0.6 |
| Published | April 6, 2026 |
Affected Products
| Product | Affected Versions | Fixed Version |
|---|---|---|
| GLPI (Free IT Asset Management) | 11.0.0 – 11.0.5 | 11.0.6 |
GLPI is used by thousands of organizations globally for IT help desk, asset inventory, and CMDB functionality. It is especially prevalent in European enterprises, government agencies, and educational institutions.
Technical Analysis
Root Cause: Server-Side Template Injection
The vulnerability originates in GLPI's administrator-facing template rendering system. GLPI uses a templating engine (Twig) to render dynamic content within the admin panel. In the affected versions, certain admin-configurable fields do not properly sanitize or sandbox template expressions before passing them to the renderer.
A malicious administrator — or an attacker who has gained admin credentials — can inject Twig template syntax into these fields. When the template is rendered by the server, the injected expressions execute arbitrary PHP code in the context of the web server process.
Attack Flow
1. Attacker obtains GLPI administrator credentials
(credential stuffing, phishing, brute-force, or insider)
2. Attacker navigates to a template-rendering admin feature
(e.g. notification templates, custom field rendering, reports)
3. Attacker injects Twig SSTI payload into a configurable field:
{{ system('id') }}
or
{{ ['id']|map('system')|join }}
4. GLPI's Twig renderer evaluates the expression server-side
5. Output is reflected in the rendered page or stored for later rendering
6. Attacker achieves RCE as the web server user (e.g. www-data)
Why CVSS 9.1 Despite Requiring Admin Access
While administrator privileges are required (lowering the score from the maximum 10.0), the impact metrics are all maximal:
| Metric | Value | Reason |
|---|---|---|
| Confidentiality | High | Full read access to GLPI database, config, and server filesystem |
| Integrity | High | Attacker can modify any data GLPI has access to |
| Availability | High | Server can be taken offline, data destroyed |
| Scope | Changed | GLPI typically runs with access to the underlying OS and connected systems |
In enterprise deployments, GLPI admin accounts are frequently shared among IT staff, making credential compromise a realistic attack path. Additionally, GLPI instances exposed to the internet with default or weak admin credentials are a known target of opportunistic scanning.
SSTI in Twig: Proof-of-Concept Patterns
Twig SSTI in PHP environments follows well-documented patterns. Common escalation payloads leverage Twig's filter system to invoke PHP functions:
{# Read /etc/passwd #}
{{ "/etc/passwd"|file_get_contents }}
{# Execute system command via PHP filter chain #}
{{ ['cat /etc/passwd']|map('shell_exec')|join }}
{# Using _self to access environment #}
{{ _self.env.registerUndefinedFilterCallback("exec") }}
{{ _self.env.getFilter("id") }}These patterns are variants of publicly known Twig SSTI techniques. CVE-2026-26026 exposes an injection point not previously sanitized in the GLPI admin interface.
Impact Assessment
| Impact Area | Description |
|---|---|
| Remote Code Execution | Attacker executes arbitrary OS commands as the web server user |
| Database Compromise | GLPI has direct access to its database; attacker can dump all asset, ticket, and user data |
| Credential Harvesting | GLPI stores user passwords and API keys; full database access enables bulk extraction |
| ITSM Data Exfiltration | CMDB, hardware inventory, network diagrams, and service configurations exfiltrated |
| Lateral Movement | Compromised web server can be used as a pivot point into internal networks |
| Persistence | Attacker can plant web shells or modify GLPI templates for persistent access |
| Supply Chain Risk | GLPI integrations with Active Directory, LDAP, and ticketing systems create downstream exposure |
Remediation
Step 1: Upgrade to GLPI 11.0.6
The fix is available in the official GLPI 11.0.6 release. Upgrade immediately.
# Backup your GLPI data and database before upgrading
mysqldump -u glpi_user -p glpi_db > glpi_backup_$(date +%F).sql
cp -r /var/www/glpi /var/www/glpi_backup_$(date +%F)
# Download GLPI 11.0.6
wget https://github.com/glpi-project/glpi/releases/download/11.0.6/glpi-11.0.6.tgz
# Extract and replace (adjust paths for your deployment)
tar xzf glpi-11.0.6.tgz
rsync -av --exclude='config/' --exclude='files/' glpi/ /var/www/glpi/
# Run the GLPI update script
php /var/www/glpi/bin/console db:update
# Verify version
php /var/www/glpi/bin/console glpi:versionStep 2: Audit Admin Account Usage
Before upgrading, audit who has GLPI administrator access. Revoke any accounts not in active use.
-- List all GLPI administrator accounts
SELECT id, name, realname, email, last_login
FROM glpi_users
WHERE is_active = 1
AND id IN (
SELECT users_id FROM glpi_profiles_users
WHERE profiles_id IN (
SELECT id FROM glpi_profiles WHERE interface = 'central' AND is_default = 0
)
)
ORDER BY last_login DESC;Step 3: Restrict Admin Panel Access
If you cannot immediately upgrade:
- Place GLPI behind a VPN or restrict
/glpi/to known management IPs at the web server level - Require MFA for all GLPI administrator logins
- Disable internet exposure of the GLPI admin panel
# nginx: restrict GLPI to management subnet
location /glpi/ {
allow 10.0.0.0/8;
allow 172.16.0.0/12;
deny all;
}Step 4: Check for Compromise Indicators
# Review GLPI error and access logs for SSTI payload patterns
grep -E "\{\{|\{%|_self\.env|file_get_contents|shell_exec|system\(" \
/var/log/nginx/glpi_access.log 2>/dev/null || \
grep -E "\{\{|\{%|_self\.env|file_get_contents|shell_exec|system\(" \
/var/log/apache2/glpi_access.log 2>/dev/null
# Check for unexpected web shells in GLPI directory
find /var/www/glpi -name "*.php" -newer /var/www/glpi/version -mtime -30
# Review GLPI admin audit log for suspicious template modifications
# (check glpi_logs table in the database)Detection Indicators
| Indicator | Description |
|---|---|
| Template syntax in HTTP request parameters | {{, {%, _self.env in POST bodies |
| Unusual OS-level process spawning from web server user | www-data spawning shells or curl |
| Unexpected outbound connections from GLPI host | Reverse shell or C2 callback |
| New PHP files in GLPI directories | Planted web shell for persistence |
| Database queries selecting credential fields | Credential harvesting activity |
| Admin account logins from new IP addresses | Stolen credential usage |
Post-Remediation Checklist
- Upgrade all GLPI instances to 11.0.6 or later
- Rotate all GLPI administrator passwords immediately
- Revoke API tokens used by GLPI integrations and reissue
- Audit GLPI admin accounts — remove unused or stale accounts
- Enable MFA on all accounts with administrative access
- Review GLPI notification templates and custom fields for injected payloads
- Scan the GLPI web root for web shells or unexpected PHP files
- Check OS-level audit logs (auditd) for commands executed as the web server user
- Restrict GLPI admin access to internal/VPN IPs only
- Monitor GLPI for unusual activity for at least 30 days post-remediation