Skip to main content

GLPI EUVD-2026-34095

| CVE-2026-42318 HIGH
Missing Authorization (CWE-862)
2026-06-03 GitHub_M
Authentication Bypass Glpi
7.0
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.0 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
Jun 03, 2026 - 18:31 vuln.today
Patch available
Jun 03, 2026 - 17:01 EUVD
CVSS changed
Jun 03, 2026 - 16:22 NVD
7.0 (HIGH)
CVE Published
Jun 03, 2026 - 15:17 nvd
UNKNOWN (no severity yet)

DescriptionGitHub Advisory

GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to versions 10.0.25 and 11.0.7, low privilege users with access to planning can delete any object in GLPI. Upgrade to 11.0.7 or 10.0.25 to receive a patch. As a workaround, disable delete rights for User's planning.

AnalysisAI

Unauthorized object deletion in GLPI versions 9.5.0 through 10.0.24 and 11.0.0 through 11.0.6 allows authenticated low-privilege users with planning access to delete arbitrary objects across the asset and IT management platform. The flaw stems from a missing authorization check (CWE-862) tied to the planning module, and no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege GLPI credentials
Delivery
Authenticate to planning module
Exploit
Submit crafted delete request
Execution
Bypass missing authorization check
Persist
Delete arbitrary GLPI objects
Impact
Disrupt IT operations and destroy records
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Requires an authenticated GLPI account on an instance running 9.5.0-10.0.24 or 11.0.0-11.0.6 whose profile grants access to the planning feature with the delete right enabled - this is commonly assigned to technician, helpdesk, and supervisor profiles by default. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 4.0 scores this 7.0 with AV:N/AC:L/PR:H/UI:N and VI:H/VA:H - network-reachable, low complexity, no user interaction, but requiring high privileges and yielding integrity and availability impact without confidentiality loss, which matches the 'authenticated low-priv user can mass-delete data' profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who phishes or otherwise compromises a low-privilege technician account with planning access logs in to GLPI over the network, then issues a crafted delete request through the planning interface targeting high-value objects such as tickets, assets, users, or configuration items. Because the planning module does not re-check object-type authorization, the records are removed, producing service disruption, audit-trail destruction, and potential loss of CMDB integrity; no public exploit identified at time of analysis, but the action is trivially reproducible from the web UI.
Remediation Vendor-released patch: upgrade to GLPI 10.0.25 (for the 10.x branch) or GLPI 11.0.7 (for the 11.x branch) as published in advisory https://github.com/glpi-project/glpi/security/advisories/GHSA-w7mr-3vwm-2j22. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify and inventory all GLPI deployments with current version documentation. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-34095 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy