CVE-2025-64520
Unknown
Unknown - Not Provided
Unauthorized API Access Allows Knowledge Base Disclosure in GLPI
Publication date: 2025-12-16
Last updated on: 2026-02-19
Assigner: GitHub, Inc.
Description
Description
GLPI is a free asset and IT management software package. Starting in version 9.1.0 and prior to version 10.0.21, an unauthorized user with an API access can read all knowledge base entries. Users should upgrade to 10.0.21 to receive a patch.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| glpi-project | glpi | From 9.1.0 (inc) to 10.0.21 (exc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in GLPI versions starting from 9.1.0 up to before 10.0.21 allows an unauthorized user with API access to read all knowledge base entries without proper authorization.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized disclosure of sensitive information contained in the knowledge base entries, potentially exposing confidential data to unauthorized parties.
What immediate steps should I take to mitigate this vulnerability?
Upgrade GLPI to version 10.0.21 or later to apply the patch that fixes the unauthorized API access vulnerability allowing reading of all knowledge base entries.
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70