GLPI
CVE-2026-32312
MEDIUM
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionGitHub Advisory
GLPI is a free asset and IT management software package. In versions 11.0.0 through 11.0.6, an authenticated user with forms READ permission can export the structure of unauthorized forms. This issue has been fixed in version 11.0.7.
AnalysisAI
Unauthorized form structure disclosure in GLPI 11.0.0 through 11.0.6 allows a high-privileged authenticated user holding forms READ permission to export the structural definition of forms they are not authorized to access. The flaw, rooted in CWE-862 (Missing Authorization), means the application validates that a user can perform form exports in general but fails to verify per-form access entitlements before returning structure data. Impact is limited to low confidentiality exposure of form schemas with no integrity or availability consequence. No public exploit code or CISA KEV listing exists at time of analysis, and the vendor has released a confirmed fix in 11.0.7.
Technical ContextAI
GLPI (Gestionnaire Libre de Parc Informatique) is an open-source IT asset management and helpdesk platform. Its forms module allows administrators to design custom data-collection forms, which may encode sensitive process logic, field structures, or internal workflow configurations. The vulnerability maps to CWE-862 (Missing Authorization): the export endpoint performs a coarse-grained permission check (does the user have any forms READ permission?) without enforcing a fine-grained object-level check (does the user have READ permission on this specific form?). This is a classic broken object-level authorization (BOLA/IDOR) pattern. The CVSS 4.0 vector AV:N/AC:L/AT:N/PR:H/UI:N confirms remote network exploitability with no special attack preconditions, but mandates high privilege level (PR:H), which significantly constrains the attacker population. Affected CPE data was not explicitly provided in the intelligence feed; affected versions are 11.0.0-11.0.6 as stated in the GitHub security advisory (GHSA-cg63-qchq-q626).
RemediationAI
The primary remediation is to upgrade GLPI to version 11.0.7, which contains the vendor-confirmed fix for this authorization bypass. The release is available at https://github.com/glpi-project/glpi/releases/tag/11.0.7. If immediate patching is not feasible, a compensating control is to audit and restrict forms READ permissions to only the users who require access to all forms, minimizing the population of accounts that could trigger the export of unauthorized form structures - note this is an administrative access review, not a technical block, and requires ongoing maintenance. Additionally, network-level access controls restricting GLPI to trusted internal segments would limit the network-reachable attacker pool, though this does not eliminate the authorization flaw. No workaround fully mitigates the missing object-level authorization check without the patch.
inc/central.class.php in GLPI before 0.84.2 does not attempt to make install/install.php unavailable after an installati
GLPI IT asset management platform contains an unauthenticated SQL injection through the inventory endpoint. Attackers ca
/vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module for GLPI through 10.0.2 allows PHP code injection. Rat
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking an
inc/ticket.class.php in GLPI 0.83.9 and earlier allows remote attackers to unserialize arbitrary PHP objects via the _pr
GLPI through 10.0.12 allows CSV injection by an attacker who is able to create an asset with a crafted title. Rated high
In GLPI before 9.4.6, an attacker can execute system commands by abusing the backup functionality. Rated high severity (
GLPI through 9.4.3 is prone to account takeover by abusing the ajax/autocompletion.php autocompletion feature. Rated hig
SQL injection vulnerability in ajax/getDropdownValue.php in GLPI before 0.85.1 allows remote authenticated users to exec
GLPI is a Free Asset and IT Management Software package. Rated high severity (CVSS 8.1), this vulnerability is remotely
Multiple SQL injection vulnerabilities in GLPI before 0.83.9 allow remote attackers to execute arbitrary SQL commands vi
Multiple SQL injection vulnerabilities in GLPI 0.90.4 allow an authenticated remote attacker to execute arbitrary SQL co
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today