SB2026070949 - Missing Authentication for Critical Function in GLPI Inventory plugin



SB2026070949 - Missing Authentication for Critical Function in GLPI Inventory plugin

Published: July 9, 2026

Security Bulletin ID SB2026070949
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Missing Authentication for Critical Function (CVE-ID: CVE-2026-48728)

CWE-ID: CWE-306 - Missing Authentication for Critical Function

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to enumerate jobs and manipulate their status.

The vulnerability exists due to missing authentication for critical function in Deploy, Collect, and ESX agent API endpoints when handling requests to job-related API functionality. A remote attacker can send crafted requests to enumerate jobs and manipulate their status.


Remediation

Install update from vendor's website.