Skip to main content

GLPI EUVD-2026-34102

| CVE-2026-44281 HIGH
Missing Authorization (CWE-862)
2026-06-03 GitHub_M
Authentication Bypass Glpi
7.0
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.0 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
Jun 03, 2026 - 18:31 vuln.today
Patch available
Jun 03, 2026 - 17:01 EUVD
CVSS changed
Jun 03, 2026 - 16:22 NVD
7.0 (HIGH)
CVE Published
Jun 03, 2026 - 14:06 nvd
UNKNOWN (no severity yet)

DescriptionGitHub Advisory

GLPI is a free asset and IT management software package. Starting in version 0.78 and prior to versions 10.0.25 and 11.0.7, an authenticated user with config READ permission can read a specific asset object. Upgrade to 11.0.7 or 10.0.25 to receive a patch.

AnalysisAI

Authorization bypass in GLPI IT asset management software (versions 0.78 through 10.0.24 and 11.0.0 through 11.0.6) permits an authenticated user holding only the config READ permission to access a specific asset object that should be outside their authorization scope. No public exploit identified at time of analysis, and CISA's SSVC framework rates exploitation as 'none' with partial technical impact. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain GLPI account with config READ
Delivery
Authenticate to GLPI web interface
Exploit
Request vulnerable asset object endpoint
Execution
Bypass missing authorization check (CWE-862)
Impact
Retrieve unauthorized asset data
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated GLPI session whose profile includes the 'config READ' permission (CVSS PR:H), network reachability to the GLPI web interface (AV:N), and that the target GLPI instance is running a vulnerable version in the 0.78-10.0.24 or 11.0.0-11.0.6 range. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and lean toward moderate-but-not-urgent priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained or been granted a low-tier GLPI account that includes the 'config READ' profile permission - for example, a junior technician or a compromised service account - logs into the GLPI web interface over the network and requests the specific asset object endpoint that fails to enforce object-level authorization, retrieving inventory data they were not entitled to see. No user interaction is required and the attack works against default deployments where the config READ permission has been broadly assigned. …
Remediation Vendor-released patch: upgrade to GLPI 10.0.25 if running the 10.x branch, or to 11.0.7 if running the 11.x branch, per the upstream advisory at https://github.com/glpi-project/glpi/security/advisories/GHSA-prjc-xwmh-rhxw. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all GLPI deployments running affected versions (0.78-10.0.24 and 11.0.0-11.0.6). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-34102 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy