Description
GLPI is a free asset and IT management software package. Starting in version 0.78 and prior to versions 10.0.25 and 11.0.7, an authenticated user with config READ permission can read a specific asset object. Upgrade to 11.0.7 or 10.0.25 to receive a patch.
Published: 2026-06-03
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authenticated user who possesses the configuration READ permission can retrieve the details of a specific asset object in GLPI. This unauthorized disclosure of asset information compromises confidentiality of data that was not intended for that user’s access level. The weakness is a classic configuration privilege problem identified as CWE-862.

Affected Systems

GLPI asset and IT management software versions from 0.78 up to, but not including, 10.0.25 and 11.0.7 are affected. Users running any of these versions are vulnerable until they upgrade to 10.0.25 or 11.0.7.

Risk and Exploitability

The CVSS score of 7 indicates a high severity vulnerability. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires valid user credentials with READ permission; thus the attack vector is through legitimate user accounts that may be compromised or over‑privileged. Once accessed, the attacker can read asset data that the user should not be able to see, potentially enabling further reconnaissance or data exfiltration.

Generated by OpenCVE AI on June 3, 2026 at 17:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GLPI to at least version 10.0.25 or 11.0.7 to apply the vendor patch.
  • Review the configuration to restrict the READ permission so that only users who truly need asset‑reading capability retain it.
  • If an upgrade cannot be performed immediately, consider temporarily disabling asset‑reading features for non‑admin users through custom configuration or access‑control rules until the update is applied.

Generated by OpenCVE AI on June 3, 2026 at 17:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Glpi-project
Glpi-project glpi
Vendors & Products Glpi-project
Glpi-project glpi

Wed, 03 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Description GLPI is a free asset and IT management software package. Starting in version 0.78 and prior to versions 10.0.25 and 11.0.7, an authenticated user with config READ permission can read a specific asset object. Upgrade to 11.0.7 or 10.0.25 to receive a patch.
Title GLPI vulnerable to unauthorized reading of a specific asset object
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Glpi-project Glpi
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-03T16:02:28.714Z

Reserved: 2026-05-05T17:39:31.111Z

Link: CVE-2026-44281

cve-icon Vulnrichment

Updated: 2026-06-03T16:02:14.651Z

cve-icon NVD

Status : Deferred

Published: 2026-06-03T16:16:30.350

Modified: 2026-06-04T15:41:35.193

Link: CVE-2026-44281

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T18:00:06Z

Weaknesses