CVE-2026-42317
Deferred Deferred - Pending Action
Arbitrary File Deletion in GLPI IT Management Software

Publication date: 2026-06-03

Last updated on: 2026-06-03

Assigner: GitHub, Inc.

Description
GLPI is a free asset and IT management software package. Starting in version 0.78 and prior to versions 10.0.25 and 11.0.7, a technician can delete arbitrary files from the filesystem as long as the webserver has write rights on them. Upgrade to 10.0.25 or 11.0.7 to receive a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-03
Last Modified
2026-06-03
Generated
2026-06-24
AI Q&A
2026-06-03
EPSS Evaluated
2026-06-22
NVD
CVE-2026-42317
EUVD
EUVD-2026-34105
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
glpi_project glpi From 0.78 (inc) to 11.0.0 (exc)
glpi_project glpi 10.0.25
glpi_project glpi 11.0.7
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-42317 is a high-severity vulnerability in GLPI, an open-source IT asset management software. It allows a technician with sufficient privileges to delete arbitrary files on the filesystem, as long as the webserver has write permissions on those files.

This vulnerability affects all versions of GLPI from 0.78 up to, but not including, 11.0.0, as well as versions 11.0.0 and above. It has been patched in versions 10.0.25 and 11.0.7.

Impact Analysis

The vulnerability can lead to high integrity and availability loss for the affected system because a privileged technician can delete arbitrary files on the filesystem.

The attack vector is network-based, requires high privileges, but does not require user interaction.

Confidentiality is not affected by this vulnerability.

Mitigation Strategies

To mitigate this vulnerability, upgrade GLPI to version 10.0.25 or 11.0.7 or later, as these versions contain the patch that fixes the arbitrary file deletion issue.

Ensure that the webserver does not have unnecessary write permissions on critical files to reduce the risk of exploitation.

Compliance Impact

The provided information does not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42317. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart