Description
GLPI is a free asset and IT management software package. Starting in version 0.50 and prior to versions 10.0.25 and 11.0.7, a technician can read arbitrary files inside the GLPI_DOC_DIR. Upgrade to 10.0.25 or 11.0.7 to receive a patch.
Published: 2026-06-03
Score: 5.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A technician can read any file located in the GLPI_DOC_DIR directory when running GLPI versions starting at 0.50 and up to but not including 10.0.25 and 11.0.7, allowing disclosure of potentially sensitive data. This is a direct result of an authorization bypass flaw (CWE‑862).

Affected Systems

The vulnerability affects the GLPI asset and IT management software from the GLPI Project. All releases from version 0.50 through 10.0.24 and 11.0.6 are impacted; the issue was remedied in 10.0.25 and 11.0.7.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate risk. The EPSS score is not available and the vulnerability is not listed in CISA's KEV catalog. The likely attack vector is via the GLPI web interface, where a user with a technician role can trigger the file read functionality; exploitation requires authenticated access but does not require elevated privileges outside the GLPI application.

Generated by OpenCVE AI on June 3, 2026 at 17:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GLPI to version 10.0.25 or 11.0.7 or newer
  • Limit file system permissions on GLPI_DOC_DIR to deny read access to non‑admin users
  • Disable or restrict the file viewer feature for technician-role users

Generated by OpenCVE AI on June 3, 2026 at 17:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Glpi-project
Glpi-project glpi
Vendors & Products Glpi-project
Glpi-project glpi

Wed, 03 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Description GLPI is a free asset and IT management software package. Starting in version 0.50 and prior to versions 10.0.25 and 11.0.7, a technician can read arbitrary files inside the GLPI_DOC_DIR. Upgrade to 10.0.25 or 11.0.7 to receive a patch.
Title GLPI vulnerable to arbitrary file access
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 5.9, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Glpi-project Glpi
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-03T15:57:44.407Z

Reserved: 2026-04-26T12:37:18.170Z

Link: CVE-2026-42320

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-03T16:16:29.843

Modified: 2026-06-03T16:16:29.843

Link: CVE-2026-42320

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T17:30:36Z

Weaknesses