Which versions of GLPI are affected by CVE-2026-42317?

GLPI asset management systems (versions 0.78-11.0.6) contain a flaw allowing authenticated technicians to delete any files accessible to the web server, threatening operational continuity and data…. A patch is available.

How to fix or mitigate CVE-2026-42317?

Within 24 hours: Identify all GLPI instances in production and document which are running versions 0.78-10.0.24 or 11.0.0-11.0.6. Within 7 days: Apply vendor patch (update affected instances to versions released beyond 10.0.24 for legacy track or 11.0.6 for current track). Within 30 days: Audit technician account activities for abnormal file deletion patterns and review access controls for the web process.

GLPI CVE-2026-42317

Q: What is the CVSS score of CVE-2026-42317?

CVE-2026-42317 has a CVSS 4.0 base score of 7.0 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

EUVD-2026-34105 HIGH

Missing Authorization (CWE-862)

2026-06-03 GitHub_M

Authentication Bypass Glpi

7.0

CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.0 HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Jun 03, 2026 - 18:30 vuln.today

Patch available

Jun 03, 2026 - 17:01 EUVD

CVSS changed

Jun 03, 2026 - 16:22 NVD

7.0 (HIGH)

CVE Published

Jun 03, 2026 - 15:16 nvd

UNKNOWN (no severity yet)

DescriptionGitHub Advisory

GLPI is a free asset and IT management software package. Starting in version 0.78 and prior to versions 10.0.25 and 11.0.7, a technician can delete arbitrary files from the filesystem as long as the webserver has write rights on them. Upgrade to 10.0.25 or 11.0.7 to receive a patch.

AnalysisAI

Arbitrary file deletion in GLPI versions 0.78 through 10.0.24 and 11.0.0 through 11.0.6 allows authenticated technicians to remove any file on the webserver filesystem to which the web process has write permissions. The flaw is tracked as a missing authorization issue (CWE-862) and is tagged as an authentication bypass; no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Obtain technician credentials

Delivery

Authenticate to GLPI web UI

Exploit

Invoke vulnerable file operation with traversal path

Execution

Webserver unlinks target file

Impact

Destroy config or logs for DoS/anti-forensics