How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows a technician with planning access to delete any object in GLPI without proper authorization, leading to high integrity and availability loss of the system.

Such unauthorized deletion of data could potentially impact compliance with standards and regulations like GDPR and HIPAA, which require strict controls over data integrity and availability.

However, the vulnerability does not affect confidentiality, and no direct information about compliance impact is provided.

Useful 0 Not Useful 0

Can you explain this vulnerability to me?

CVE-2026-42318 is a high-severity vulnerability in GLPI versions 9.5.0 up to 11.0.6 that allows a technician with planning access to delete any object within the GLPI system without proper authorization.

This happens because the system fails to verify permissions correctly before allowing deletions, which is classified as CWE-862 (Missing Authorization).

The vulnerability can be exploited remotely with low attack complexity and does not require user interaction.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can lead to significant integrity and availability loss in the GLPI system because unauthorized deletion of any object is possible.

While confidentiality is not affected, the ability for a technician to delete critical assets or IT management data without proper authorization can disrupt operations and data reliability.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability immediately, you should disable delete rights for users who have access to planning in GLPI.

Additionally, upgrading GLPI to version 10.0.25 or 11.0.7 will patch the vulnerability.

Useful 0 Not Useful 0