Missing Authentication for Critical Function in GLPI Inventory plugin - CVE-2026-48728

 

Missing Authentication for Critical Function in GLPI Inventory plugin - CVE-2026-48728

Published: July 9, 2026


Vulnerability identifier: #VU137279
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-48728
CWE-ID: CWE-306
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: glpi-project
Affected software:
GLPI Inventory plugin

Detailed vulnerability description

The vulnerability allows a remote attacker to enumerate jobs and manipulate their status.

The vulnerability exists due to missing authentication for critical function in Deploy, Collect, and ESX agent API endpoints when handling requests to job-related API functionality. A remote attacker can send crafted requests to enumerate jobs and manipulate their status.


How to mitigate CVE-2026-48728

Install security update from vendor's website.

Sources