CVE-2026-32312
Analyzed Analyzed - Analysis Complete
Authenticated Form Structure Export in GLPI

Publication date: 2026-05-19

Last updated on: 2026-05-21

Assigner: GitHub, Inc.

Description
GLPI is a free asset and IT management software package. In versions 11.0.0 through 11.0.6, an authenticated user with forms READ permission can export the structure of unauthorized forms. This issue has been fixed in version 11.0.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-19
Last Modified
2026-05-21
Generated
2026-06-10
AI Q&A
2026-05-19
EPSS Evaluated
2026-06-08
NVD
CVE-2026-32312
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
glpi-project glpi From 11.0.0 (inc) to 11.0.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows an authenticated user with forms READ permission to export the structure of unauthorized forms, leading to potential unauthorized disclosure of sensitive information.

Such unauthorized access to sensitive data structures could impact confidentiality requirements mandated by common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information.

However, the vulnerability does not affect integrity or availability, and it requires high privileges, limiting the scope of exposure.

To maintain compliance, affected users should upgrade to GLPI version 11.0.7 where this issue is fixed.

Executive Summary

CVE-2026-32312 is a vulnerability in GLPI versions 11.0.0 through 11.0.6 that allows an authenticated user with forms READ permission to export the structure of unauthorized forms.

This happens because the system fails to properly check authorization before granting access to sensitive form structures, which is classified as a missing authorization check (CWE-862).

The vulnerability affects confidentiality by exposing form structures that should not be accessible to the user.

It does not affect the integrity or availability of the system.

The issue has been fixed in GLPI version 11.0.7.

Impact Analysis

This vulnerability can impact you by exposing the structure of forms that you are not authorized to access, potentially revealing sensitive or confidential information contained within those forms.

Since the vulnerability affects confidentiality, unauthorized users with certain permissions could gain insight into form data structures, which might be used for further exploitation or information gathering.

However, the vulnerability does not impact the integrity or availability of the system.

To mitigate this risk, it is recommended to upgrade to GLPI version 11.0.7 where the issue is fixed.

Mitigation Strategies

To mitigate the vulnerability CVE-2026-32312 in GLPI, the immediate step is to upgrade the GLPI software to version 11.0.7 or later.

This version contains the necessary security patches that fix the missing authorization check allowing unauthorized export of form structures.

  • Verify your current GLPI version.
  • Plan and perform an upgrade to GLPI version 11.0.7 or above as soon as possible.
  • Restrict forms READ permissions to trusted authenticated users only until the upgrade is applied.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32312. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart