SB2026051871 - Multiple vulnerabilities in GLPI



SB2026051871 - Multiple vulnerabilities in GLPI

Published: May 18, 2026 Updated: June 1, 2026

Security Bulletin ID SB2026051871
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 14
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 14 vulnerabilities.


1) Missing Authorization (CVE-ID: CVE-2026-32312)

CWE-ID: CWE-862 - Missing Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to missing authorization in form export functionality when exporting form structures. A remote privileged user can export the structure of unauthorized forms to disclose sensitive information.


2) Improper access control (CVE-ID: CVE-2026-42320)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose arbitrary files within GLPI_DOC_DIR.

The vulnerability exists due to improper access control in file access handling when accessing files in GLPI_DOC_DIR. A remote privileged user can read arbitrary files to disclose arbitrary files within GLPI_DOC_DIR.


3) Missing Authorization (CVE-ID: CVE-2026-42318)

CWE-ID: CWE-862 - Missing Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to delete arbitrary objects.

The vulnerability exists due to improper access control in planning when handling deletion operations. A remote user can delete objects through the planning feature to delete arbitrary objects.

The issue can be exploited by a technician with access to planning.


4) Cross-site scripting (CVE-ID: CVE-2026-42321)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary script in a user's browser.

The vulnerability exists due to cross-site scripting in asset locks when rendering stored asset lock content. A remote user can store a malicious script payload to execute arbitrary script in a user's browser.


5) Cross-site scripting (CVE-ID: CVE-2026-40108)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary script code in a victim's browser.

The vulnerability exists due to cross-site scripting in ITIL costs when processing stored user-supplied content. A remote user can store a malicious script payload in an ITIL cost entry to execute arbitrary script code in a victim's browser.


6) Incorrect Comparison (CVE-ID: N/A)

CWE-ID: CWE-697 - Incorrect Comparison

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to bypass webhook signature verification.

The vulnerability exists due to incorrect comparison in webhook CRA signature verification when processing webhook requests. A remote attacker can perform a man-in-the-middle attack on a webhook request to bypass webhook signature verification.

Exploitation is possible only under very specific circumstances.


7) Improper access control (CVE-ID: N/A)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to trigger an unexpected webhook CRA validation.

The vulnerability exists due to improper access control in webhook CRA validation handling when processing requests. A remote user can send a crafted request to trigger an unexpected webhook CRA validation.

The issue requires config READ permission.


8) Improper access control (CVE-ID: N/A)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to probe IMAP servers through the application.

The vulnerability exists due to improper access control in the IMAP connection testing functionality when handling configuration-related requests. A remote user can send a crafted request to probe IMAP servers through the application.

The issue requires config READ permission.


9) Improper access control (CVE-ID: N/A)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to resend queued webhooks.

The vulnerability exists due to improper access control in webhook queue handling when processing resend operations. A remote user can trigger a resend of queued webhooks to resend queued webhooks.

Exploitation requires config READ permission.


10) Improper access control (CVE-ID: N/A)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to modify webhook payload templates.

The vulnerability exists due to improper access control in webhook payload templates when handling configuration changes. A remote user can modify webhook payload templates to modify webhook payload templates.

The issue requires config READ permission.


11) Missing Authorization (CVE-ID: CVE-2026-44281)

CWE-ID: CWE-862 - Missing Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to missing authorization in asset object access control when handling requests for a specific asset object. A remote user can request a specific asset object to disclose sensitive information.

Exploitation requires config READ permission.


12) Improper access control (CVE-ID: N/A)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to modify configuration values.

The vulnerability exists due to improper access control in configuration settings when handling configuration update requests. A remote user can update some configuration values to modify configuration values.

Exploitation requires config read permission.


13) Improper access control (CVE-ID: CVE-2026-42317)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to delete arbitrary files from the filesystem.

The vulnerability exists due to improper access control in file deletion functionality when handling technician actions. A remote user can delete arbitrary files writable by the webserver to delete arbitrary files from the filesystem.

Only files for which the webserver has write permissions can be deleted.


14) Cross-site scripting (CVE-ID: CVE-2026-5385)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary script in a victim's browser.

The vulnerability exists due to cross-site scripting in the knowledge base item content handling when processing user-supplied knowledge base content. A remote user can store a crafted xss payload in a knowledge base item to execute arbitrary script in a victim's browser.


Remediation

Install update from vendor's website.