Executive Summary

CVE-2026-42320 is a vulnerability in GLPI, an open-source IT asset management software, that allows a technician with sufficient privileges to read arbitrary files within the GLPI_DOC_DIR directory.

The affected versions include all releases from 0.50 up to but not including 11.0.0, as well as versions 11.0.0 and later. The issue has been patched in versions 10.0.25 and 11.0.7.

Exploitation requires high privileges, the attack vector is network-based, and the attack complexity is high, with no user interaction required.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows a technician with high privileges to read arbitrary files inside the GLPI_DOC_DIR directory, which can lead to unauthorized disclosure of sensitive information.

The impact is primarily on confidentiality, with no direct effect on integrity or availability of the system.

Because the attack requires high privileges and has high attack complexity, the risk is moderate but still significant for sensitive environments.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, upgrade GLPI to version 10.0.25 or 11.0.7 or later, where the issue has been patched.

Ensure that only trusted technicians with high privileges have access to the GLPI system to reduce the risk of exploitation.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows a technician with high privileges to read arbitrary files within the GLPI_DOC_DIR directory, which results in a high impact on confidentiality.

Since confidentiality of data is a critical aspect of compliance with standards such as GDPR and HIPAA, this vulnerability could potentially lead to non-compliance if sensitive personal or health information is exposed.

However, the vulnerability requires high privileges to exploit and does not affect integrity or availability.

Upgrading to patched versions 10.0.25 or 11.0.7 is recommended to mitigate this risk and help maintain compliance.

Useful 0 Not Useful 0