Description
GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to versions 10.0.25 and 11.0.7, low privilege users with access to planning can delete any object in GLPI. Upgrade to 11.0.7 or 10.0.25 to receive a patch. As a workaround, disable delete rights for User's planning.
Published: 2026-06-03
Score: 7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

GLPI allows users with low privileges who can access the planning page to delete any object in the system. The vulnerability is an authorization bypass that removes the integrity of stored data, enabling an attacker to permanently delete tickets, assets, or other entities. This flaw can erode trust in the IT asset management platform and disrupt ongoing operations. The weakness is classified as CWE‑862, indicating a failure to enforce proper access control.

Affected Systems

All GLPI installations from version 9.5.0 up to and including 10.0.24, and from 11.0.0 up to and including 11.0.6 are affected. Users running earlier releases are not impacted. The problem is confined to the web application and does not require special network privileges beyond normal HTML form access.

Risk and Exploitability

The CVSS score of 7.0 categorizes the flaw as high severity. Though the EPSS score is not available, the flaw’s presence in an open‑source product and its clear path through the UI suggest a realistic chance of exploitation. It is not listed in the CISA KEV catalog. An attacker would likely exploit the vulnerability via a legitimate browser session, submitting deletion requests through the planning endpoint without needing higher privileges. No special environment prerequisites are required beyond administrative access to the planning interface.

Generated by OpenCVE AI on June 3, 2026 at 17:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GLPI to version 10.0.25 or 11.0.7, where the deletion authorization check has been corrected
  • If immediate upgrade is not possible, remove the delete permission from the Planning page for all low‑privilege user roles to prevent accidental deletion
  • Restrict access to the planning interface to only those users who truly need it, and review role assignments regularly
  • Enable detailed logging of delete operations and audit logs for unexpected deletions to detect abuse

Generated by OpenCVE AI on June 3, 2026 at 17:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Description GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to versions 10.0.25 and 11.0.7, low privilege users with access to planning can delete any object in GLPI. Upgrade to 11.0.7 or 10.0.25 to receive a patch. As a workaround, disable delete rights for User's planning.
Title GLPI Vulnerable to Arbitrary Item Deletion via Planning Endpoint
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-03T16:18:31.804Z

Reserved: 2026-04-26T12:37:18.170Z

Link: CVE-2026-42318

cve-icon Vulnrichment

Updated: 2026-06-03T16:18:28.324Z

cve-icon NVD

Status : Received

Published: 2026-06-03T16:16:29.690

Modified: 2026-06-03T16:16:29.690

Link: CVE-2026-42318

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T17:30:36Z

Weaknesses