Main Vulnerability Database Vulnerabilities #VU133161

Improper access control in GLPI - CVE-2026-42317

Published: June 1, 2026

Vulnerability identifier: #VU133161

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-42317

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: glpi-project

Affected software:
GLPI

Detailed vulnerability description

The vulnerability allows a remote user to delete arbitrary files from the filesystem.

The vulnerability exists due to improper access control in file deletion functionality when handling technician actions. A remote user can delete arbitrary files writable by the webserver to delete arbitrary files from the filesystem.

Only files for which the webserver has write permissions can be deleted.

How to mitigate CVE-2026-42317

Install security update from vendor's website.

Sources

https://github.com/glpi-project/glpi/security/advisories/GHSA-jf72-cvjh-px5w

Improper access control in GLPI - CVE-2026-42317

Detailed vulnerability description

How to mitigate CVE-2026-42317

Sources

Please verify you're human