Description
GLPI is a free asset and IT management software package. From version 11.0.0 to before 11.0.5, a GLPI administrator can perform SSRF request through the Webhook feature. This issue has been patched in version 11.0.5.
Published: 2026-02-04
Score: 4.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server‑side Request Forgery via Webhook
Action: Apply Patch
AI Analysis

Impact

GLPI versions 11.0.0 through 11.0.4 allow an administrator to configure a webhook that can send requests to any network address. This server‑side request forgery (CWE‑918) could enable the attacker to make internal API calls, harvest sensitive data, or use the compromised instance as a pivot to other systems. The impact is limited to the privileges of the GLPI administrator and the network reachability of the target system, but it can still lead to confidentiality or integrity violations if internal endpoints are accessed.

Affected Systems

The vulnerability exists in the GLPI project’s software for the specified version range. Administrators running GLPI 11.0.0 up to 11.0.4 are affected; versions 11.0.5 and newer have the fix applied.

Risk and Exploitability

The CVSS score of 4.1 classifies the issue as low severity. The EPSS score of less than 1% indicates a very low likelihood of exploitation in the wild. GLPI is not listed in the CISA KEV catalog. Successful exploitation requires administrative access to the GLPI instance and the ability to create or modify webhook configurations, making the attack vector relatively constrained to authenticated users with elevated privileges.

Generated by OpenCVE AI on April 17, 2026 at 23:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GLPI to version 11.0.5 or later, which removes the insecure webhook handling code.
  • If an upgrade is not immediately possible, disable webhook functionality or restrict its use to trusted networks to eliminate the SSRF vector.
  • Continuously monitor outbound traffic from the GLPI server for unexpected requests to internal or external resources, and investigate any anomalies promptly.

Generated by OpenCVE AI on April 17, 2026 at 23:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*

Thu, 05 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Glpi-project
Glpi-project glpi
Vendors & Products Glpi-project
Glpi-project glpi

Wed, 04 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
Description GLPI is a free asset and IT management software package. From version 11.0.0 to before 11.0.5, a GLPI administrator can perform SSRF request through the Webhook feature. This issue has been patched in version 11.0.5.
Title GLPI is Vulnerable to SSRF via Webhooks
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 4.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N'}

Subscriptions

Glpi-project Glpi
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-05T14:33:19.799Z

Reserved: 2026-01-07T05:19:12.921Z

Link: CVE-2026-22247

cve-icon Vulnrichment

Updated: 2026-02-05T14:20:19.601Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-04T18:16:08.753

Modified: 2026-02-06T21:19:00.433

Link: CVE-2026-22247

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T23:30:15Z

Weaknesses