Description
GLPI is a free asset and IT management software package. In versions 11.0.0 through 11.0.6, an authenticated user with forms READ permission can export the structure of unauthorized forms. This issue has been fixed in version 11.0.7.
Published: 2026-05-18
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an authenticated user with Read permission on forms to export the structure of any form, even those they are not authorized to view. This unintended disclosure of form metadata could reveal configuration details, field names, and relationships that are considered sensitive. The weakness is an access control flaw, identified as CWE‑862.

Affected Systems

GLPI – a free asset and IT management software – is affected in releases 11.0.0 through 11.0.6. The GLPI Project states the issue is fixed in version 11.0.7. Administrators should verify whether their deployment falls within the vulnerable range and plan an update accordingly.

Risk and Exploitability

With a CVSS score of 5.1 the vulnerability is considered moderate. No EPSS score is available and it is not listed in CISA’s KEV catalog, suggesting a lower likelihood of widespread exploitation. Attackers must be authenticated with Read rights, a condition that can be met by a legitimate user; the exploitation path simply uses the export interface to retrieve unauthorized form definitions.

Generated by OpenCVE AI on May 19, 2026 at 01:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the GLPI 11.0.7 update or later to remove the vulnerability.
  • Restrict READ permissions on form objects to only users who truly need that level of access.
  • If an immediate update is not possible, temporarily disable the form export feature or apply a local code patch to prevent unauthorized exports until the official fix is deployed.

Generated by OpenCVE AI on May 19, 2026 at 01:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 01:45:00 +0000

Type Values Removed Values Added
First Time appeared Glpi-project
Glpi-project glpi
Vendors & Products Glpi-project
Glpi-project glpi

Tue, 19 May 2026 00:15:00 +0000

Type Values Removed Values Added
Description GLPI is a free asset and IT management software package. In versions 11.0.0 through 11.0.6, an authenticated user with forms READ permission can export the structure of unauthorized forms. This issue has been fixed in version 11.0.7.
Title GLPI: Unauthorized export of form structure
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Glpi-project Glpi
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-18T23:46:26.200Z

Reserved: 2026-03-11T21:16:21.660Z

Link: CVE-2026-32312

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-19T00:16:37.283

Modified: 2026-05-19T00:16:37.283

Link: CVE-2026-32312

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T01:30:26Z

Weaknesses