CVE-2026-32312
Authenticated Form Structure Export in GLPI
Publication date: 2026-05-19
Last updated on: 2026-05-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| glpi_project | glpi | From 11.0.0 (inc) to 11.0.6 (inc) |
| glpi_project | glpi | 11.0.7 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32312 is a vulnerability in GLPI versions 11.0.0 through 11.0.6 that allows an authenticated user with forms READ permission to export the structure of unauthorized forms.
This happens because the system fails to properly check authorization before granting access to sensitive form structures, which is classified as a missing authorization check (CWE-862).
The vulnerability affects confidentiality by exposing form structures that should not be accessible to the user.
It does not affect the integrity or availability of the system.
The issue has been fixed in GLPI version 11.0.7.
How can this vulnerability impact me? :
This vulnerability can impact you by exposing the structure of forms that you are not authorized to access, potentially revealing sensitive or confidential information contained within those forms.
Since the vulnerability affects confidentiality, unauthorized users with certain permissions could gain insight into form data structures, which might be used for further exploitation or information gathering.
However, the vulnerability does not impact the integrity or availability of the system.
To mitigate this risk, it is recommended to upgrade to GLPI version 11.0.7 where the issue is fixed.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the vulnerability CVE-2026-32312 in GLPI, the immediate step is to upgrade the GLPI software to version 11.0.7 or later.
This version contains the necessary security patches that fix the missing authorization check allowing unauthorized export of form structures.
- Verify your current GLPI version.
- Plan and perform an upgrade to GLPI version 11.0.7 or above as soon as possible.
- Restrict forms READ permissions to trusted authenticated users only until the upgrade is applied.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an authenticated user with forms READ permission to export the structure of unauthorized forms, leading to potential unauthorized disclosure of sensitive information.
Such unauthorized access to sensitive data structures could impact confidentiality requirements mandated by common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information.
However, the vulnerability does not affect integrity or availability, and it requires high privileges, limiting the scope of exposure.
To maintain compliance, affected users should upgrade to GLPI version 11.0.7 where this issue is fixed.