diff --git a/src/DbUtils.php b/src/DbUtils.php
index 3470c942aa1..4a8296b90ab 100644
--- a/src/DbUtils.php
+++ b/src/DbUtils.php
@@ -944,6 +944,10 @@ public function getEntitiesRestrictCriteria(
                 return [new QueryExpression('true')];
             } elseif (isCommandLine() || Session::isCron()) {
                 $value = '0'; // If value is not set, fallback to root entity in cron / command line
+            } else {
+                // No active session and no privileged context: deny all access to prevent
+                // invalid SQL criterion (entities_id = '' on integer column → MySQL warning 1292).
+                return [new QueryExpression('false')];
             }
         }
 
diff --git a/src/autoload/misc-functions.php b/src/autoload/misc-functions.php
index 74d24ac6c87..085b71f0512 100644
--- a/src/autoload/misc-functions.php
+++ b/src/autoload/misc-functions.php
@@ -42,9 +42,11 @@
  *
  * @return bool
  */
-function isCommandLine()
+function isCommandLine(): bool
 {
-    return (PHP_SAPI == 'cli');
+    /** @var bool|null $GLPI_IS_COMMAND_LINE */
+    global $GLPI_IS_COMMAND_LINE;
+    return $GLPI_IS_COMMAND_LINE ?? (PHP_SAPI === 'cli');
 }
 
 /**
diff --git a/tests/functional/DbUtilsTest.php b/tests/functional/DbUtilsTest.php
index ed476b18031..5e9a230ea19 100644
--- a/tests/functional/DbUtilsTest.php
+++ b/tests/functional/DbUtilsTest.php
@@ -902,6 +902,31 @@ public function testGetEntityRestrict()
         );
     }
 
+    public function testGetEntitiesRestrictCriteriaWithNoSession(): void
+    {
+        // PHP_SAPI is always 'cli' in PHPUnit and cannot be changed at runtime.
+        // Override via the global read by isCommandLine() to simulate a web context.
+        $GLOBALS['GLPI_IS_COMMAND_LINE'] = false;
+
+        // Ensure no active session entities and no right-check bypass.
+        unset($_SESSION['glpiactiveentities']);
+        unset($_SESSION['glpishowallentities']);
+
+        $this->assertFalse(isCommandLine());
+        $this->assertFalse(\Session::isCron());
+
+        $criteria = getEntitiesRestrictCriteria('glpi_computers');
+        $first = reset($criteria);
+
+        $this->assertCount(1, $criteria);
+        $this->assertIsArray($first);
+        $this->assertCount(1, $first);
+        $this->assertInstanceOf(QueryExpression::class, $first[0]);
+        $this->assertSame('false', (string) $first[0]);
+
+        unset($GLOBALS['GLPI_IS_COMMAND_LINE']);
+    }
+
     /**
      * Run getAncestorsOf tests
      *